These multiple firewalls are all part of the company's strategy to have a solid security infrastructure in place. "We spend enormous time and energy on security prevention--that has grown more so than our bandwidth capabilities," Potosky says. "Now we have three different crews of people dealing with security: one at the broader information security level, one for the Web infrastructure level that also handles the application servers and integration servers, and then one crew working at the pure network level. There is a lot we can track and monitor, and this granularity is a key part of our architecture."
Third, the company virtualizes as much of its computing infrastructure as possible, including servers, operating systems, storage and software. Employees use VoIP phones so as they move from one job to another, they can keep the same phone number without the IT department having to track the change. This is nothing new--after all, IBM has been running virtual machines on its mainframes for decades. But Freddie Mac is attempting this throughout its network, such as running multiple instances of applications to share the load.
The next frontier is to virtualize the entire network infrastructure, having a personal VLAN created on the fly for particular users and particular applications. "That is a lot more difficult," Manning says. "VLANs have issues that cross wide-area networks. That is a fixed infrastructure, and we want to be able to do it on the fly as much as possible." To get ready for this situation, Freddie Mac has upgraded all its Cisco routers to the latest versions and is beginning a pilot network access control project to monitor endpoint security.
Finally, Freddie Mac doesn't take anything for granted and has been particularly fussy when it comes to handling insecure applications, such as file transfer protocol. The company uses a proprietary FTP server that doesn't grant access to the underlying file system, requires authentication for sending or receiving, and has point-to-point firewall controls, under a VPN. Freddie Mac uses both FTP-SSL products as well as those compatible with FTP over SSL connections.
David Strom was the founding editor in chief of Network Computing and is now a freelance writer living in St. Louis. He is the author of two computer books and is a frequent writer, blogger, speaker and podcaster. He can be reached at [email protected]; you'll find his blog at strominator.com