Dynamic business world needs intelligent LAN switches, says report

Because of a growing 'virtualization' of corporate employees, a Yankee Group researcher says access control needs to be enforced continuously rather than just once at the network gateway.

Organisations that rely on traditional network controls for security, such as virtual LANs and access control lists, will struggle to cope with increasingly fluid network usage, said a new report from the Yankee Group, a Boston-based research firm.

According to the analysis, a combination of factors will force a different approach: the rise of mobile and remote workers, greater use of outside contractors, the deployment of Web 2.0 applications, and virtualisation of systems, to name a few.

"Today's more dynamic network requirements are driven in large part by a 'virtualization' of corporate employees—their location, the blurring between their work and personal life, and the technologies they use at home and in the office," the report stated.

Traditional LAN switches, which work low down in the network stack, operate on limited information, such as the MAC address and access control lists. They can be moulded into supporting a more dynamic business environment, but as the research suggested, the process takes a lot of time and effort from IT operations to make it happen:

"The rigid subnetting, DMZs, virtual LANs and access control lists (ACLs) used in LANs today are not flexible enough to accommodate the rapid provisioning and deprovisioning of services […] that businesses need to support ad hoc groups and other aspects of the virtualized organization,".

CISSP Essentials

In this video, get a free introduction to Domain 2 of the CISSP exam's "Common Body of Knowledge" covering access control topics like administration, practices, models and more.
The report, which was sponsored by ConSentry Networks, Inc. and authored by Phil Hochmuth, is entitled "The Era of the Virtualized Organization Demands Context-Aware LANs." Hochmuth proposes that the LAN itself needs to become more aware of the context of any traffic because the users, their location, the application they are using, and even the time of day, may influence how their traffic is handled.

For instance, IT may need to distinguish between a user who is accessing a Web-based ERP system and one who is just browsing the Internet. And a staff may want to detect where users are running their own applications, possibly using their own devices, and using collaborative tools like Google Apps, perhaps to bypass corporate controls.

Network access, however, is usually governed by the location of the user's desk, what ports the PC is plugged into and which servers it can access on that subnet.

"This topology-based construct is due in large part to existing network forwarding and routing techniques—the MAC forwarding table at Layer 2 and the IP routing table at Layer 3," according to the Yankee Group analysis. "Decisions as to where traffic can and cannot go, at what rate it moves and how long it can remain connected, all happen based on these parameters."

Virtualisation of systems, which allows server images and their workloads to be moved to different parts of a network, also creates problems for static network-based server access controls, which rely on IP addresses, server names or MAC addresses.

The answer, Hochmuth suggests, is to build more intelligence and context-awareness into the network, arguing that this is the logical place to enforce policy.

"Most companies are running on 20-year-old switch technology, but LANs are no longer static," said Jeff Prince, chief technology of ConSentry. "We now have different ways of connecting, with guest users, offshore partners needing to access the network. Businesses need to keep up with this virtualised world."

He said the network, far from being a collection of "dumb pipes," was the logical place to enforce policy and provide security. For instance, he said network access control should not be a one-off process at the network gateway, but should be enforced continuously by having the LAN ensure that all traffic complies with policy.

ConSentry's own intelligent LAN switches offer these features, but Prince acknowledged that other products, such as HP's Adaptive EDGE networking technology and Cisco's PISA range, also adopt the same approach by inspecting the traffic they manage.

The changing LAN environment is confirmed in new research by the London-based agency Loudhouse Research Ltd, also commissioned by ConSentry.

In June 2009, the company interviewed 200 IT decision makers, half in the U.K. and the other half in the US, about the implications of what it called "LAN sprawl". The findings showed that:

  • 93 percent said their users are now more likely to require access to different parts of the network at different times for business reasons.
  • 92 percent reported an increase in the need to manage users with multiple profiles/IDs to support cross-functional needs of their organisation.
  • 66 percent said the proliferation of devices and applications made it harder to audit their networks.
  • Two-thirds believed that decisions to innovate business processes are often made without considering the impact to the network.

Read more on Identity and access management products