Greg Ferro

Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

The Security Profession Is A Mess

I've been considering how to build a network security plan for a small data center with an online presence. To put the proposal together, I needed to develop some sort of structure in the security space so that I could research products and vendors. What I found is that implementing firewalls and IDSes is simple. Finding competent security professionals is not.

I started be breaking down my security technology into two parts: active and passive security. I define passive security the way many companies do--passive security implements controls on the networks with static devices that are configured and then provide a passive block or control to network traffic. My list of some of the devices are:

  • Firewalls
  • Intrusion detection/Intrusion prevention (IDS/IPS) systems
  • Web application firewalls (WAFs)
  • Distributed denial of service (DDoS) tools
  • Logging services

All of these technologies are deployed, configured and forgotten. Firewalls rules are configured and remain static. IDS/IPS devices have rules enabled in groups or categories and then left to monitor traffic. Although a WAF should be configured often in response to new threats, most companies don't have the skills to keep updating the rules and configure the most basic functions such as the OWASP Top 10. In this context, a WAF is a passive security tool, not an active one.

Anti-DDoS tools are also passive for smaller companies because they are configured to perform rate-based protocol inspection and, possibly, protocol validation and some content inspection. Anti-DDoS appliances trigger a response once configured thresholds have been set and may take action to filter traffic that matches the configured rule base. Finally, log servers are configured and will collect and store the data from the security infrastructure.

I exclude VPN and authentication services from the security portfolio. In the past, remote access has been a high priority security topic, but now it's so important and vital to modern business that it is a unique design topic with the rise of mobile devices.

I've defined active security tools as those tools that require constant intervention and changes because they proactively change the security posture. A passive security tool enforces security policy, while active tools adapt security policy to changing conditions. My list of active tools are:

  • Network and firewall audits to validate good practices and configuration
  • Process reviews of firewall rule approval
  • Penetration testing and vulnerability scanning
  • Application testing for security holes
  • Development practices to develop secure low risk code

Obviously, my list of active security tasks doesn't comprise products. There are tools to assist with delivering these services, but they require people to conduct the tasks and review the responses. When I considered this view, it seemed clear that passive security is easy to design and implement, but active security requires a different approach including recognition that IT security is a moving target that requires ongoing involvement from people.

When it came to allocating the budget, I invested in passive security. I have to have these services in place. Passive security is a mandatory requirement. But, really, I needed to invest much more in active security to get an acceptable security posture. I have found that the whole area of active security products and services is immature. Few products exist, and they are all overpriced; features are poor, and flexibility is abysmal. At the time, every vendor pitched the "fear, uncertainty and doubt" to me.

I also had some discussions with security "professionals" about what sort of people I would hire to perform the work. Frankly, I was unimpressed. These so-called security professionals had very little talent or experience in core competencies like time management, communication and business awareness, and they wanted to focus on passive security skills instead of practical issues.

In the end, I couldn't recommend an active security strategy. I couldn't hire the right people, or reasonably provide the tools they needed to make the job happen. Conclusion? The security profession is in a mess. No tools, poor skills and bad attitude across a wide range of people. It's time to be worried.

Related Reading

More Insights

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Next Gen Network Reports

Research and Reports

Network Computing: April 2013

TechWeb Careers