Network Critical - The Window to your Network

Is China Winning at HPC



When I was in college I took an Astronomy class. This, as best I can remember, was my first introduction to numbers that boggled the mind. Distances so vast, speeds so fast that I got lost in my own mind trying to comprehend the numbers. I tried to re-calculate the values discussed in class in terms that I could understand. For example, one light year is the distance one travels at the speed of light for one year. Now, to put this in terms a college freshman can understand, traveling one light year is going 1,079,252,848.8 kilometers per hour for one year. Now, that is fast and that is far.

Forty plus years later, I am equally as astounded when I try to understand speed and processing power in computer science. High Performance Computing (HPC) technologies are growing to astronomical numbers that are once again boggling my mind.

First, what is a Floating Point Operation FLOP? Well, it’s complicated. For this discussion let’s just agree that a Floating Point Operation is a calculation performed by a High Performance Computer. Note that it is not a bit, but a complicated mathematical computation out to multiple decimal points. HPC processing power is described in terms of FLOPS, MegaFLOPS, GigaFLOPS, PetaFLOPs and so on. A PetaFLOP is one thousand million million FLOPS. So, now we understand the power of HPC. The calculating speed and power is astounding. The social, economic and political implications of this are powerful.

The United States and China are locked in a computer processing race similar to the space race of the 1960’s. According to the National Security Agency (NSA) and the Department of Energy (DOE), China is winning.

The United States beat the USSR to the moon with an unwavering commitment, political will and billions of invested dollars. The result was more than bragging rights. Many innovations that have improved our lives came out of space research.

Today, the competition for HPC superiority is equally, if not more important than the 1960s race for space dominance. China’s Sunway Taihu Light System is a High Speed computing system that is capable of 93 petaflops. That is 93 quadrillion Floating Point Operations per second. It is ranked #1 on the TOP500 list of super computers.

According to a Computerworld article on this subject, supercomputing dominance provides a huge economic engine, cutting edge research, capability to build better products, research for infrastructure improvements, new medicines and, of course tools to design many innovative weapons systems. Regardless of which country is number one, all countries that are in the race will receive many benefits.

Supercomputers, of course, are only one of the avenues to reaping benefits of HPC. Clusters of smaller computers are being networked to provide massive computing power with a much more attractive price tag than a single monolithic supercomputer. According to Market Research Future, the global HPC market is forecast to grow to USD$33 Billion by 2022 at a CAGR of 5%.

The two architectures for HPC, supercomputer and smaller computer cluster, both share the same achilles heal…network security. Centralized super computers are large and expensive resources. To keep them off the internet is to deprive many scientists and workers the opportunity to remotely utilize these vital resources. Clusters, by definition, are networks and vulnerable to internal and external threats.

Security is vital to HPC advancement. First, these valuable computing assets are sure to be prime targets for hackers. On another level, however, HPC and Artificial Intelligence (AI) technologies are being used to better protect computing resources. As security appliances develop the capability to learn normal traffic patterns of an organization, then to quickly detect and block anomalies, high speed networks will become less vulnerable and recover quicker from attacks. These security advancements brought about by HPC and AI will benefit all networks.

China may have the #1 super computer, but I hope they use their technical innovations to the advantage of their people. The United States and Europe are currently the largest HPC markets. The awesome computational power of this technology will certainly bring forth many advances in science, social services, medicine and business…and not so much, I hope, in weapons systems.

Posted: 19/10/2017 15:38:13 by Network Critical with 0 comments

5 Protections Equifax Should Have Employed


What everyone likely already knows is that credit reporting agency, Equifax, has been hacked. Lost to the hackers was personal and permanent identifying information of over 143 million people. Lost to the hackers are government Social Security numbers and Driver’s License numbers among other credit and financial information. If you do not know, Social Security numbers are forever. These numbers will be floating in the internet longer than the owners will live making them potential identity theft victims for the rest of their life. Could Equinox had done a better job protecting this information? YES!

  1. Strong Passwords - A security research firm called Hold Security was able to acquire administrative access (highest level access) to the Equifax website in Argentina. The site contained employee records, consumer complaint information and other personal and confidential information. How did they do this? They simply tried using the default password that many manufacturers use when they ship product…user name - admin and password - admin. Manufacturers suggest immediately changing passwords as soon as the products are installed for security purposes. Amazingly, many small businesses and multinational corporations do not bother changing the information making it very easy for hackers to access systems. Note that this may or may not have been a factor in the latest hack. Not enough is known yet about that breach. However, it is reasonable to assume that the lack of strong password management policy in Argentina will be found at other sites. 
  2. Training - Network security is not exclusively an IT responsibility. Every person in the company who has access to network resources has the responsibility to protect those resources. This includes complying with corporate access management policy on personal devices such as smartphones, laptops and tablets. Non-IT employees should have endpoint security on their home networks if they access work resources from home as many employees do. All employees should be cautious when clicking links in emails regardless of how official or enticing they seem. If you did not ask for that link, do not click on it. Now, many non-IT employees are simply not aware of these and other safeguards. It is the responsibility of the CEO to be sure that someone is in charge of creating safe IT policies and training all employees that have network access about these policies. Further, the training should also include stiff penalties for breaching policy. 
  3. Access Management - Everyone in the company does not need access to all the information on all corporate systems. There should be multiple levels of access to corporate IT resources. Using Equifax as an example, what positions in the company require access to every piece of personal and confidential information of every single customer record in the system at any one time? It makes no sense to allow any employee full access to all records, not even the CEO. For even deeper protection, Data Loss Protection (DLP) appliances connected to network access links by intelligent TAPs can set and enforce policies determining what data formats are not allowed to be downloaded to certain devices. For example a policy could be set restricting the downloading of any USA Social Security number with the format XXX-XX-XXXX regardless of the users credentials. 
  4. Executive Training - Stuff happens. This is not the first major security breach in history. It may, however, very well be one of the largest. In order to maintain what customer credibility is left after a major breach of confidence, the company needs to very carefully navigate the post-breach waters showing empathy to the victims and a willingness to do whatever it takes to remedy the situation. The equifax response fell a little short. First they did not notify the public of the breech for about 5 weeks while executives were selling stock. Not exactly an empathic start. That was the start of a long list of post hack flubs that has the US Congress opening an investigation into the company, the breech and the response. The remedy offered to the consumer victims has been credit monitoring for one year. This stolen information can be used and sold by the hackers for thieves to open credit accounts, file fraudulent tax returns, obtain loans and buy products for life. Birthdays, Social Security Numbers, Drivers Licenses do not expire. Equifax is saying that their mismanagement that caused perpetual personal information to be in the hands of thieves will be protected for a year. After that we have some wonderful products that you can buy from us so we can profit from our mistakes. A little more sensitivity is in order hear. Perhaps a weekend empathy retreat is in order. 
  5. Encryption - Follow me here…Ransomware hackers encrypt data all the time. The data is not theirs but they get to it and encrypt it. Then they charge the victim for the key to decrypt the data. The victims data is worthless and unusable until the key is purchased. So, lets say the Equifax had the forethought to encrypt the personal, confidential and perpetually usable data in the files of 143 million of their customers. Let’s say that hackers got through the passwords, firewalls, IPS, DLP, and other access control and protections on the network. If the customer data was encrypted, it would be worthless to the hackers. Seems simple enough.

There is much more to this story and it will be in the news for a while. It touches virtually every US adult. There is already a US$70 Billion Class Action lawsuit being prepared against Equifax. Any company that holds confidential customer information in a networked environment, needs to be extremely vigilant in protecting that information. The cost of a breech, as we see here, is much greater than the cost of building a robust security platform and training all employees on security policy.

Posted: 01/09/2017 18:17:26 by Network Critical with 0 comments

Is Your Company Cyber Covered?


Your company is likely insured to cover a variety of business risks. Some of the most common business coverages include general liability insurance, product liability insurance, professional liability insurance, commercial property insurance and perhaps some other specialty coverages depending on your business. So, as a business manager, you might think, I am covered. Well, it might be time for an insurance review that includes a relatively new, yet potentially devastating risk…cyber crime.

Most insurance companies that provide commercial property policies exclude electronic data under the definition of “covered property.” General liability coverages are designed for bodily injury or property damage which are narrowly defined in the policy. Electronic data is usually excluded under the definition of “covered property”. Personal and advertising injury excludes infringement of copyright, patent, trademark or trade secret loss which are often cyber targets.

Insurance companies and their actuarial research and tables have not kept pace with the blazing advancement in cyber technology. While technology continues to advance at a rapid pace, the insurance industry is struggling to keep up. There are, however, some companies that are developing and marketing cyber insurance policies to cover the potentially devastating effects from a cyber attack. AIG, for example, has introduced a stand alone policy called “CyberEdge.” that offers coverage against many cyber risks.

Many large companies mostly in developed economies are working with their insurers writing specific risk policies that provide coverage for business interruption, liability, remediation costs and other damages caused by cyber attacks. The cyber insurance industry is currently estimated to be about a $4 billion a year business and growing fast. Here are a few reasons for growth in cyber insurance…

Target - Data breach of 41 million customers credit card information in which Target settled for US$18 Million Anthem Health Care - Data breach exposed personal information of millions of patient records that Anthem settled for US$115 Million JP Morgan - The largest bank in the United States was hit by a breach where hackers obtained personal information including Social Security numbers of 76 million households and 7 million businesses. Subsequently, the bank has increased its cyber security budget to US$250 million per year.

A Ponemon Institute report found that the average cost of data breach for the 383 participating companies in 12 countries was about US$4 million. Two of the “megatrends” discussed in the report are that 1) Regulated industries such as healthcare and financial have the most costly breaches because of fines and a higher than average rate of lost business and customers. 2) Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches.

Similar to many other types of coverages, the insurance companies are working on developing risk assessment practices in order to better manage the cyber vulnerability score of applicants. Of course, the higher the risk score, the more the applicant will pay for coverage if a policy is underwritten. Many insurance companies, lacking industry-wide standardized practices are using Payment Card Industry (PCI) data security standards as a baseline for providing coverage. These standards require specific security practices such as firewall protection as well as other intrusion, encryption and data loss protections. An organization that is not in compliance with PCI standards will find it difficult to obtain coverage.

Strong network protection starts with a Next Generation Firewall (NGFW) that integrates intrusion protection along with traditional firewall protection. Additional appliances such as Data Loss Protection (DLP) provide another layer of protection helping prevent the download of protected information by unauthorized devices. Other critical appliances that identify traffic anomalies, block suspicious traffic and help weed out malware are coming to market every day.

Good news and bad news is the pace of malware protection innovation. Good that there is a constant flow of new technology coming to market with each new appliance covering a previously under-protected vulnerability. Bad that deploying numerous specialized appliances on every link of a complex network is very costly and can impact reliability and availability of networks to legitimate users. Fortunately there is one more “good” to this story.

Security appliances can be connected directly to links or can be “brokered” through intelligent visibility appliances that are designed to connect numerous appliances. These intelligent TAPS and Packet Brokers can map network traffic through connected appliances and bypass problem units. The port mapping and power-fail protections keep networks “alive” even when certain appliances are “dead”.

To summarize, cyber attacks are increasing in sophistication and frequency. A well written and rated cyber insurance policy can protect businesses from costly breaches and the associated liabilities. In order to get the best coverage at a reasonable rate, review your security profile prior to applying for coverage. The cost of a strong security infrastructure can be more than offset by lower insurance rates and by defeating attacks before the damage is done.

Posted: 15/08/2017 17:36:42 by Network Critical with 0 comments

Do You Know Where Your Data Is?


What do you know about where your telecommunications and mobile provider stores, manages and secures your personal data. You might say, “Well, I have Verizon so I don’t worry about it. They are based in the US and have great security.” Or, you might say, “I know that Apple is very focused on security and privacy. They even fought against the FBI to not give up personal user data.”

Let’s look at a little history before we move on to the current telco landscape. In the “good old days” prior to the breakup of AT&T the United States had Ma Bell (AT&T) to provide telephone service to 80% of the US market. A secondary company called GTE provided service to the areas AT&T did not want to serve. There were also a few hundred smaller independent telephone companies serving small rural areas where neither AT&T or GTE wanted to develop infrastructure.

In those days, infrastructure was expensive to develop. Most communications connections were copper cable so poles had to be erected or trenches dug to connect serving offices to the customers. There was a network of large communications switches that connected all the phones in the country used exclusively for voice calls. There was also a network of specialized computers that stored customer information, recording such data as call origination, destination, rate structure and duration for billing purposes. This is how your bill was developed.

Now, lets fast forward to 2017. Over the years innovation has exploded, legal restrictions have relaxed and the physical anchor of copper cable networks is gone. Switches have become much more sophisticated and wireless technologies have revolutionized the network. Mobile devices are now the universal terminals for voice, data, text, video, photos, entertainment, banking, shopping and a wide variety of other specialized convenience applications. There are over six billion cell phones in the world with about 1.1 billion connected to broadband services.

The major service providers like Verizon, AT&T, China Mobile, Nippon Telegraph and Telephone (NTT), Deutsche Telecom and others are providing much more than voice connections. Apple, Motorola, Samsung are working with the carriers to provide more and more sophisticated devices that are becoming the indispensable cornerstone of modern business and personal connection. Buckle up folks, here comes the scary part…

These global companies are storing, recording and analyzing everything you do as a broadband customer. These massive computers store information such as where you bank, where you shop, what restaurants you like and do not like. They have your PIN numbers, access codes, passwords and any other information used by any of your connected devices. If you think this information is just being stored in a pile like old furniture you are mistaken. These companies are using this customer identification, location and preference data to their own marketing and competitive advantage. Obviously, the more they know about their customers, the easier it is for them to provide new and interesting services, sell new products and maintain their loyalty as a customer.

These large global companies need to be nimble and cost effective while providing voice and data services to hundreds of millions of customers around the world. First, they locate their massive data centers in countries with low cost structures for land and labor. Then they hire local workers through third party contractors. Of course, they have their instruction manuals and practices that the third party company and contractor employees are expected to follow but close supervision and control is difficult when your human and physical assets are spread throughout a variety of countries and cultures.

Two recent examples of glaring security breaches are Verizon and Apple. Two highly trusted brands headquartered in the US.

  • Verizon - An independent Cyber Risk Team identified a misconfigured cloud-based file repository that exposed personal customer data of as many as 14 Million US customers. This misconfigured data repository was owned and operated by NICE Systems based in Raanana, Israel. What was at risk? Names, addresses, account details and PIN numbers. All the information that could be used to access banks, shopping accounts and other applications.
  • Apple - Employees of a third party sales and customer service contractor in China have been caught selling Apple customer data including names, numbers and Apple ID’s of Apple China’s customers. The ring netted over US$7.5 Million before being stopped.

The increasingly popular Big Data trend, storing massive amounts of data in large depositories for marketing, sales and retention analysis, exposes customers to breach and invasion of privacy. Even though your trusted provider may be in your local area, your personal data likely is being accessed and/or stored far away and managed by third party contractors without the safeguards you would expect from your preferred supplier.

For businesses, BYOD means that the exposure to employees personal devices will carry over to the business network. It is critical that links are secure and traffic visibility is consistent. Perimeter security such as Intrusion Detection as well as specialized appliances to detect traffic anomalies will help secure corporate assets. Connecting these network protection appliances is safe and reliable using intelligent TAPs and Packet Brokers. A Gartner report states that by 2020, 60% of businesses will suffer service failures due to the inability of IT teams to manage digital security. For more information about increasing traffic visibility and securing network links go to www.networkcritical.com.

Posted: 01/08/2017 19:42:19 by Network Critical with 0 comments

Don’t it Make you WannaCry?!


It is enough to make anyone responsible for network security to want to sit down and cry. What is? The WannaCry ransomware attack, of course. The attack hit 150 countries in one day. The bad news is that there will be more such attacks in the future. The WannaCry ransomware attack is the broadest such attack in history.The good news is that we are not defenseless. Here are some history, thoughts and precautions about WannaCry and other malware.

By now, most of us have heard of the WannaCry attack. It is a trojan virus that encrypts all the data on the infected computer and instructs the owner to pay US$300 to decrypt the data. If the ransom is not paid in bitcoin in three days, the ransom amount doubles to US$600. After seven days all data will be deleted from the system.

So, how does the virus get into a computer? Generally the user is tricked into loading an infected file. Therefore, being cautious with your clicks is the best way to keep your files safe. According to a great security blog called Krebs on Security, here are three keys to help stay safe from this and other malicious viruses:

- If you did not go looking for it, don’t install it.
- If you installed it, update it. (WannaCry exploited a vulnerability in older systems)
- If you no longer need it, get rid of it.

These rules apply for all devices, desktops, smartphones, and tablets. Microsoft has macros turned off by default on most computers because they allow attackers to take advantage of resources that could result in running code on the system. Be very cautious of clicking on a request to “Enable Macros”. Also, regularly backup your data on a device that is not networked or connected to your computer. A current, disassociated back-up is your best defense against a ransomware attack.

With that background, we know that WannaCry exploited an old Microsoft Office vulnerability. Microsoft has since created a patch and is making it available to Windows XP, Windows 8 and Windows Server 2003. But wait, there is more…

According to an article by Bruce Schneier in Foreign Affairs, The National Security Agency (NSA) detected this flaw years ago but chose not to disclose it. Wait, w hat? Why on earth would they not expose a potential flaw that could cripple hundreds of thousands of computers worldwide if it got into the wrong hands? (There is an argument that being under control of the NSA constitutes being in the wrong hands, but that is a story for another day.)

The government agency had found a vulnerability and made a decision to exploit it rather than disclose it. This code, it seems, is a powerful weapon in gathering intelligence. With its own mission in mind news of the the code was kept quiet. Subsequently, the code was leaked and ended up in the “wrong hands” doing substantial damage around the globe.

Schneier suggests that the US agencies would be better served by using a stream of newly discovered vulnerabilities for offensive intelligence and disclose existing vulnerabilities to the community for defensive purposes. This idea keeps the intelligence flowing while helping improve security on systems everywhere.

The moral of this story is that cyber security is an ecosystem not an individual responsibility. In order to stifle ubiquitous attacks on computers and systems everywhere, the entire cyber community must remain vigilant and informed. This includes IT professionals as well as non-IT users. Companies and individual users must keep patches up to date. New employees must be trained on security practices for computer and network use. Strong perimeter security must be deployed and maintained to the latest standards.

Network Critical works with many partner companies who provide innovative approaches to network performance and security. These companies provide Firewalls, Intrusion Prevention Systems, Data Loss Protection, intelligent malware detection, WAN acceleration and performance as well as many other appliances to help protect computers and networks.

TAPs and Packet Brokers provide safe and secure connectivity and visibility to these protective appliances. Connecting specialized security appliances with Network Critical’s SmartNA TAPs and SmartNA-X Packet Brokers allows companies to add new layers of security without compromising network reliability or availability.

If you don’t WannaCry about malicious viruses, review your cyber practices now. Update patches, review user training and access policy and shore up your perimeter defenses.

Posted: 21/07/2017 13:01:31 by Network Critical with 0 comments

Net Neutrality Protest and DDOS


As has been reported by many outlets, the John Oliver show on HBO has advocated that his viewers send their comments about net neutrality to the FCC. His idea was to flood the FCC website and, therefore, render the FCC website unavailable. By having viewers all send comments protesting the potential repeal of net neutrality rules they could shut down the FCC. This would send a powerful message about the will of the people.

However, it is unlikely that the viewership of the show actually brought the FCC to its knees. Here is a little background about DDoS attacks.

DDoS
DDOS, or Distributed Denial of Service, is a highly coordinated attack that uses thousands and sometimes millions of devices to send such things as connection requests or large volumes of data to a network of servers thus overwhelming its capacity to respond. This malicious traffic blocks legitimate requests to the targeted network of servers from being processed. Thus the Distributed Denial of Service monicker.

DDoS attacks can come from many sources. Malicious botnets can be imbedded in thousands of devices by having users click on seemingly innocent links. Then when the time comes, the botnets send floods of requests or data files to target servers. One large DDoS attack was initiated by hacked public video cameras. That attacked sent 20,000 requests per second from 900 of the infected video security cameras.

John Oliver and the FCC
Now lets look at the John Oliver show’s viewers. The show has a large following. So, what if John Oliver suggested that all his viewers send their net neutrality comments to the FCC in order to bring down the FCC comments server. Let’s say that thousands of viewers followed the suggestion. What do you think the probability would be that enough comments were sent all at a specific time in order to block the network of FCC servers. Fairly unlikely.

According to a statement by David Bray of the FCC, their servers were victims of a series of DDOS attacks about midnight Eastern Time. Mr. Bray said, “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host.”

Now, what is open to speculation and wonder is whether the DDOS attack timing was coincidental or if John Oliver’s comments inspired a person or group to perpetrate the DDOS attack. Interestingly, if the attack was created by sympathetic John Oliver viewers, they might have actually blocked many comments supporting net neutrality from being delivered by blocking the comment servers.

DDoS Protection
There are many reasons that businesses are attacked. Some include Hacktivism, hacking for social change. Extortion, hacking for ransom. Revenge, hacking to get back at a company for a perceived wrong. The motivations for these attacks are not much different than motivation for any other crime.

These attacks can come from anywhere ant any time. It is important for business and personal networks to be prepared ahead of time by protecting the network perimeter with strong Intrusion Prevention and other security appliances that can detect anomalies in network traffic. Forrester, IDC and Yankee Group predict that the cost of a 24 hour outage by a large e-commerce business would approach US$30 Million.

There are many specialized appliances that are designed to detect and block DDoS attacks. These appliances can save thousands to millions of dollars in lost revenue and reputation repair by preventing attacks that shut down business websites for hours or even days.

Of course, these appliances must be safely and securely connected to network links. TAPs and Network Packet Brokers are designed specifically for this purpose. These security enablement appliances allow connection of multiple security appliances on network links without impacting availability, speed or reliability. Further, large and complex networks can use intelligent TAPs and Packet Brokers to improve efficiency of security appliances through filtering and port mapping features that cut costs and increase processing speeds. You can find more information on TAPs and Packet Brokers at www.networkcritical.com/products.

Network Neutrality
Here is a final thought on the issue at the core of this controversy. The new FCC Chairman, Ajit Pai was an attorney for Verizon prior to his selection to this position. According to an article in the Seattle Times, since his appointment, he has stopped nine companies from providing discounted high speed internet access to low-income individuals, withdrew an effort to keep prison pay-phone rates low, and scrapped a proposal to open the cable box market to greater competition. Like these changes or not, the telecom, cable and media industries are in for many changes ahead.

Stay informed, stay connected, stay protected!

Posted: 07/07/2017 16:44:15 by Network Critical with 0 comments

FirePower + TAP Power


So, which “Wall” do you think we are going to talk about today? Here is a hint…During the week of June 25-29 Cisco is holding its annual technology and networking conference. Thousands of technology innovators will be descending on Las Vegas for education and inspiration needed to thrive in the fast moving world of digital business. It is Cisco Live! 2017!

At the conference you may run into these superheroes…Code Crusader, MegaFix, Major Shift, Ignitor and The Wall. These superheroes are programmers, troubleshooters, transformational leaders, innovators and protectors of the network. Network Critical TAPS and Packet Brokers supply the capes and enhanced powers for two of these heroes, MegaFix and The Wall.

MegaFix is the super trouble shooter. In order to troubleshoot, one needs visibility. Network Critical TAPs provide visibility to network traffic flows assisting the MegaFix mission. The Wall is the protector of the network. In order to protect the network from attackers, The Wall needs to not only see traffic, but to be able to quickly act on what our superhero sees. Network Critical SmartNA-X in-line TAPS connect appliances to network links and allows them to act in real time stopping malicious traffic dead in its tracks.

Let’s look at FirePower, next generation super firewalls from Cisco. FirePower products integrate Intrusion Detection and Prevention in the firewall. One powerful appliance can provide multiple network protection functions. Small business can take advantage of the super-powers of The Wall as well as Data Centers and Service Providers. Just as our partner, Cisco, provides protection options for different businesses, Network Critical has options to connect FirePower Threat Defense for businesses large and small.

The Cisco ASA5500-X for small business is budget friendly yet powerful protection. Using a four slot chassis with only a single in-line TAP to connect to Cisco FirePOWER ASA 5500-X with FTD the cost of entry is minimal and scalability is simple. There are three additional slots in the powered chassis that are ready for use as new links are added. The TAP will bypass the appliance for maintenance needs or other issues ensuring network availability.

Some of the largest and most critical networks are Service Providers. The FirePower 9300 Series is a high performance NEBS rated NGFW with FTD. This product, designed for the Service Provider market provides critical speed, reliability and scalability. The Network Critical SmartNA-10G-V-Line high speed TAP connects the FirePower 9300 series appliances to network links at super speed providing real time threat protection as expected from a super hero.

The Network Critical high speed TAPs provide fail-safe operation keeping the network operational in the event of a power failure. Further, the exclusive V-Line (Bypass) technology maintains network availability in the event that the connected appliance is offline for maintenance or other issues. Space and real estate are two other important issues for Service Providers. The Network Critical 10G V-Line Tap is packaged in a slim 1U chassis and can be powered by either AC or DC power supplies.

The dictionary defines superheroes as: pl. su·per·he·roes A fictional figure having superhuman powers or greatly enhanced abilities, usually portrayed as fighting evil or crime.

The combination of Cisco FirePower partnered with Network Critical V-Line TAPs is a perfect fit for that definition. Cisco FirePower is the impenetrable wall against evil hackers and Network Critical TAPs provide the enhanced abilities safely connecting FirePower appliances to links while keeping the network available to users at all times. Find us in the Cisco Solution MarketPlace.

FirePower + TAP Power is indeed a superhuman partnership. Network Critical experts will be at Cisco Live! this week. Contact us for an appointment with a real network superhero. Enjoy the show!

Posted: 26/06/2017 15:50:20 by Network Critical with 0 comments

Starting the Countdown to GDPR in the EU


If you are in the IT business and you have not yet heard of General Data Protection Regulations (GDPR), you might need to read this blog ASAP. If you have heard of it but are not sure what it is all about…same as above.

Like most government regulations, GDPR is long and uses words that are even longer. If you have your pocket data dictionary handy, you can try to look up some of the more obfuscatory terms but very likely will not find them. There are a few benefits to spending some time understanding this regulation, officially called “Regulation (EU) 2016 679.”

GDPR was passed by the European Commission, The Council of the European Union and the European Parliament. It is broad in its scope and reach across the EU, and consequences for non-compliance can be severe. If you are now worried that you may be out of compliance because you have not even read it yet, do not get your knickers in a twist. Although the GDPR was passed in April of 2016, it does not take effect until May, 2018. So in the meantime, let’s take a quick look at the purpose, scope and non-compliance consequences.

According to Wikipedia, GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objective of the regulation is to give residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

In general, regulatory compliance can be cumbersome and costly. The GDPR however, unifies data protection regulations across the EU, making it easier for international companies to understand and comply with one, rather than many, conflicting regulations. However, the penalty for non-compliance can be pretty severe. Sanctions for breach can range from a warning for first offense or non-intended non-compliance to fines up to 20,000,000 EUR for more severe cases.

Organizations that collect data from EU residents (controllers) and organizations that process data on behalf of controllers (processors) such as cloud service providers and similar contractors are governed by this regulation. Even organizations based outside the EU that collect personal data responsible for GDPR compliance. It does not matter if your organisation is small or global. If your business is deemed a “controller” or a “processor”, you must comply with GDPR.

According to Florian Douetteau, CEO at Dataiku, here are four key steps to get ready for GDPR compliance:

Application: As stated above, all companies processing or controlling personal data that have customers in the EU need to comply. Even companies in the UK, post-Brexit, who have customers in the EU will be governed by GDPR.
Data subjects rights: Data subjects are customers who provide personal data to a company. Data subjects have expanded privacy rights including the right of erasure, the right to access their data, and to question decisions made purely on algorithmic basis.
Internal record keeping requirements: There are specific record keeping requirements that may include the appointment of a Data Protection Officer.

So, you have been reading a lot about GDPR, but have not seen anything yet about pseudonymisation or anonymisation. Remember how government regulations often use long words to define a relatively simple concept? Here is an example: pseudonymisation is a word to describe encryption or other methods of disguising data so it can not be attributed to a specific data subject without a key. Further, the key must be kept separately from the pseudonymised data. Thus, the data will be effectively anonymized.

Of course there are many other requirements for GDPR compliance such as 'Privacy by Design and Default', 'Data Portability', 'Data Breach Notification' and more. Certain appliances such as Data Loss Protection and Intrusion Prevention Systems, may assist in protection from what can be very expensive breaches and sanctions for non-compliance. These appliances can be simply and safely attached to data links by using TAPs and packet Brokers without risking network performance. So, while you are preparing for GDPR compliance coming next year, be sure your perimeter protection is also up-to-date with appropriate traffic visibility and link security. For more information on visibility and perimeter protection, go to www.networkcritical.com.

It might be a little bit of a challenge working pseudonymisation into a cocktail party dialog. However, if you can, your friends will be gobsmacked.

Posted: 09/06/2017 14:05:52 by Network Critical with 0 comments

Hackers! Take Note…


Many of our blogs deal with cyber security. We talk about technical training, user training, passwords, technical advances in cyber protection and many other topics related to network traffic visibility and security. Back in January we talked about the importance of global government cooperation and information sharing as a means to track down sophisticated cyber crime organizations and individuals. We also advocated for new laws and increased penalties for cyber crime.

Cyber crime is no longer a computer geek in a basement stealing a credit card number and buying a new blender. Cyber criminals operate internationally and have developed sophisticated operations using the latest technology and increasingly sophisticated techniques. These organizations prey on corporations, individuals and governments searching for wide ranging information.

Criminal Motives

  • Outright theft of money through bank transfers and account penetration
  • Information theft with the intent of using that information to steal from corporations and individuals
  • Information theft with the intent of embarrassing corporations or individuals
  • Information theft and publication on a very large scale with the intent of influencing public opinion (see: Russian Hacking Scandal)
  • Information theft with the intent of extortion and/or blackmail
  • Information theft under the guise of activism in order to promote a cause (Hacktivism)

Scope of Operations

  • Some hacking organizations are sponsored by governments with massive resources
  • Some organizations are very small or even operated by a single person
  • Regardless of the organizational size, global reach and broad access is easy
  • Physical locations are difficult to trace
  • Cyber movement across boarders is pervasive

With that background, we see that cyber crime is a well organized, well funded and profitable scourge on civil and trusting society. However, government cooperation and commitment to bringing cyber criminals to justice is starting to pay off. Government sponsored anti-hacking organizations are finally putting significant resources behind tracking down these criminals and locking them up…for a long, long time.

Catch and Conviction
Roman Seleznev, a Russian national was convicted in United States court of 38 counts including wire fraud and aggravated identity theft. Mr. Seleznev hacked into point-of-sale devices and stole credit card numbers from over 500 businesses stealing about US$170 million from over 3700 banks. Now, it is easy to see why there were some significant resources behind the tracking, apprehension and conviction of this guy.

Mr. Seleznev was finally tracked and apprehended in the Maldives. He had servers in Ukraine, Russia and in the United States. When he was arrested, law enforcement found 1.7 million credit card numbers on his computer.
Mr. Selezney was a hero of sorts in the underground world of cyber crime. His operation was used as a model by other hackers. It took over two years to try him and he was ultimately given a 27 year prison sentence. This is believed to be the longest sentence ever given for hacking. Roman Selezney is only 32 years old so will likely be healthy enough to serve his entire sentence, being nearly 60 years old when released.

Moral of the Story
Hackers beware. Governments and corporations have broad reach and deep pockets. They now realize that hacking is no longer a prank and see it for the sophisticated criminal organization that it is. The Selezney case has set a precedent. You might be elusive but governments and corporations will track you down like a dog. When you are caught, you will be handed the most severe prison sentences allowed. Further, those sentences are getting longer as the legal community comes to understand the true nature of these crimes. Unless you like the color Orange, find another business.

Posted: 26/05/2017 15:40:24 by Network Critical with 0 comments

One Throat to Choke


Systems Integrator: One who integrates systems. (Just kidding). However, this simple and obvious tongue-in-cheek definition tells an interesting story. Systems integrators (SI) build computing and networking systems for clients by combining hardware and software products from multiple vendors into a single working system. While the term can be used in many other industries it is most commonly used in the computing industry.

By bringing together different sub-systems into a single operational system, the SI ensures that those subsystems from a variety of different vendors will function together (in peace and harmony) as a single coherent system. Why is this important?

It’s Complicated
Let’s look at the example of building a Data Center (DC). The components involved include routers, switches, firewalls, servers, data storage, racks, AC and DC power devices, wiring, connectivity and visibility equipment, environmental equipment (cooling), raised flooring, physical security, cyber security, software and applications, and likely other components that I did not think about. Now, there are many competitive vendors providing an array of specialized equipment for each of these sub-systems. Each vendor’s design has advantages and challenges. The DC designer must develop a plan and pick vendors that are most likely to fit into the plan.

Vendor selection alone is a daunting task. It involves many meetings with sales and engineers from this vast pool of potential vendors for each piece of equipment. Decisions must be made regarding features and functionality of the each piece of equipment being evaluated. Further, each piece must also be evaluated regarding is relative position in the network and its compatibility with other equipment under consideration creating a very large and complex matrix. Next up is determining who in the organization has the competence to evaluate all the piece parts.

Specialist vs Generalist
It is easy to see from the above list that product evaluation and compatibility review is a daunting task. The DC designer must be able to map out the master plan but also be an expert in every piece part in the design. This is not likely, so what are the alternatives. The DC designer will need to develop and lead a massive team of experts to evaluate individual pieces and submit sub-system designs for integration into the master plan. This can be accomplished by direct hire, subcontracting individual consultants or hiring a Systems Integrator.

Have Specialists, Will Travel
There are many Systems Integrators available in many industries, including technology. For the purposes of our discussion, lets continue with the DC design. Systems Integration is all about having the specialized resources in place and being able to draw upon those resources in a timely manner. This allows the right specialists to be available when needed and not sitting around wasting resources when other aspects of the design are in play.

The larger SI companies employ an army of specialists from which they can draw at the appropriate time. These specialists usually work on many projects at the same time so they are always busy but bill according to the time spent on each unique project. This allows the DC designer to have the specialists they need at the time needed and only pay for their time working on the project.

Loyalty to the Client
While Systems Integrators have relationships with many vendors, their loyalty is to the client. The SI specialists learn many products within their specialty and attend trainings often organized by various vendors. Their prime mission, however, is to understand the needs of the client and what product is the best fit for the system being built.

Individual product vendors can be evaluated by the DC designer and staff. However, these presentations are often biased by the strengths and weakness of the individual vendor product. The vendor presenters also may not be familiar with the other products that will be connected to theirs. By relying on an independent third party for vendor selection the client has a high probability of success using experts with a systems focus beyond expertise on a specific product.

The Systems Integrator generally assumes end to end responsibility for project success. So, rather than chasing vendor tails and dealing with finger pointing round robins, the Systems Integrator contract offers a single point of contact for project support. Put another way, when something goes wrong, you have one throat to choke until the problem is solved.

Final Thoughts
There is no single “best practice” for designing complex computer, network and security systems. Todays blog takes a look at one idea which may work well for certain projects. Other practices such as individual vendor analysis by consultants and Web research, relying on local VARs who represent a variety of products and sub-systems, complete in-house project staffing for the necessary product and systems analysis or any combination of the above. Each project needs to examine complexity, resources, timing and desired outcome before picking a project team. For more information about project support options and independent specialist recommendations go to support@networkcritical.com.

Posted: 12/05/2017 14:24:56 by Network Critical with 0 comments

Losing by Default


In sports if one team does not have enough players to field a team they lose by default. In a court of law, if the defendant or the plaintiff does not show up they lose by default. This is the easiest win for the victorious party. Not a drop of sweat was produced. There was no risk of injury or embarrassment. The only thing the victors had to was show up and they get to notch a “W” on their record or take home the trophy.

This is also the most disappointing loss for the party on the other side. They may have had other priorities. They may have forgotten the date of the contest. They may have been stuck in traffic. No matter the reason, they still lose. In amateur sports the loss is mostly pride and bragging rights at the local pub. In court, the loss could be costly in property or currency. In many cases, the loss could have been prevented had the loser been more diligent in managing their calendar or more focused and committed to the contest.

What does this have to do with cyber security or data breaches? The moral of this story is that cyber criminals are being handed default wins every day. They must be saying, “I can’t believe how easy this is!” It is easy because those in charge of safeguarding their critical network infrastructure and its contents are not as focused, diligent and committed as they could be/should be. Here is one important example that is exploited often but is easy and inexpensive to fix.

Default Username and Password
Default username and passwords are used by manufacturers to allow initial access to system hardware and software for the purpose of initial configuration or to restore after resetting the system to its factory default settings.

A Tripwire study concluded that 30% of IT professionals and 46% of users do not change passwords from the manufacturers default setting. This is a dangerous practice as all of the manufacturers default settings are available on the internet to anyone who knows how to search “default settings!”

What is worse is that these initial user name and password settings generally provide full administrative access privileges. This means that with these passwords the hacker will have total access to the system, be able to change settings IP addresses.

An Interesting Conundrum
Computing and networking is no longer the singular domain of the IT department. With BYOD, multiple device access, and a panoply of applications running in the business world, network access is the required of nearly every worker. So, the company that believes the network is secure because the IT department is skilled and savvy is wrong. Every employee who has access to email, web and other corporate applications needs to be educated on network security protocol and be diligent with their access privileges.

Changing from default settings to a strong user name and password immediately upon accessing any new device is a critical step in keeping hackers our of the network. The conundrum is this…a simple password is easy to remember, easy to enter and, therefore convenient for the user. A strong password is hard to remember, difficult to remember and a pain in the backside for the user. So, what will the typical user do when forced to create strong passwords? They will write the password down on a post it note or enter it in the notes section of their device. In other words they will make the password easy for hackers to find. Thus the strong password now becomes a weak password.

Solutions?
There are password technologies such as Single Sign On and LDAP that can assist users with access while providing strong password protection. Network security training on a consistent basis with all employees (not just computer related functions) is another important step. Employees need to understand that strong passwords are inconvenient but necessary and entering passwords in notes, pretty much defeats their purpose.

Regardless of password strength, changing from the default password to a new, unique password is still better than taking no action. No one should allow a globally published default password to control access to the corporate network.

Final Note
Regardless of how good your password policy, how hard you train employees, and how severe of the consequences for policy violation, there will be a sub-set of employees who opt for the convenient rather than the secure option. It is important for networks to have perimeter network protection such as Next Generation Firewalls with Intrusion Prevention, Data Loss Protection and other access security appliances protecting the network.

Posted: 28/04/2017 14:49:12 by Network Critical with 0 comments

Enter The Drag-n


Do you remember the 1973 Bruce Lee movie Enter The Dragon? The movie opens with a martial arts competition. The competition is fierce and brutal. During the competition, our hero discovers a dark underbelly of unsavory activity. As the fight to clean up the mess progresses, more and more challenges confront the good guys. The stakes are high and there is no room for failure.

This scene may also sound familiar if you have ever tried to deploy security or analysis appliances with TAPs using Command Line Interface (CLI) or a typical GUI with a hierarchical structure. At first, things don’t seem so bad. Perhaps you are attaching a sniffer to look at email traffic. No problem. You enter the string of commands to filter all traffic except email, connect the appliance, and done. Everything is working well until your boss comes in and says, “We need to monitor web traffic more closely.” Then he comes back in a half hour and says, “I am concerned about ransomware vulnerability. We also should add on some Data Loss Protection and Intrusion Prevention Systems. Complete network security is our top priority!”

You call your local VAR and purchase some of the best performing security appliances. Now, it is time to deploy and you realize you have already filtered out all the traffic downstream from the email analysis device you just installed. Now, none of the new appliances can see any of the packets they need to do their job. No problem, just reprogram the TAP.

This is where things become very interesting. With hierarchical devices, once you have filtered certain types of packets, you can not get them back. So now you have to take all your appliances and write a detailed mathematical plan. What appliances need to see what packets? Then create the hierarchy so that packets that are filtered out early are never required by another appliance downstream. Also, you don’t want to send too much information to the upstream appliances reducing their efficiency. This is a difficult and time consuming task that gets more complex as more appliances are needed.

You are smart, however, and work your way through it with a well thought out and very detailed filtering and port-mapping plan. After you deploy it and test for accuracy you will find some issues where you have blocked data that should have been passed. You re-write the plan and fix the bugs. Turn it all up and it works! As you are celebrating with a half-caf latte, your boss comes in and has an idea. “Here is a data sheet on a new appliance that actually learns traffic patterns and can help prevent attacks before they cause network damage. I want you to add that to our security stack.” You suddenly realize that you have to re-write your filter and port map plan from the beginning because the hierarchy must be pure end-to-end.

Enter the Drag ’n…or Drag-n-Vu™ that is. Network Critical has defeated the dreaded hierarchy. Through years of brutal research and development, Network Critical engineers have created a TAP and Packet Broker deployment plan that does all the math for you in the background. This new program provides independence from complex hierarchical commands with the simplicity of drag and click mapping.

With Drag-n-Vu™, there are no commands. There is no hierarchy. Instead, there is a clear visual map of the ports. The network administrator simply decides which network tool plugs into which port, then drags the cursor from the input ports to the output ports. Filters are simply created and stored so they can be dragged and dropped to whatever port combinations are needed. Best of all, the filters are independent. For example, if http traffic is filtered out in map number one but required in map number two…no problem. Different traffic types can be filtered and reused anywhere in the process and as many times as needed. This ingenious new development not only simplifies deployment planning and installation, it also allows for simple and fast changes. In the tech world, changes happen quickly so it is critical to be able to be able to adapt to changes with utmost efficiency.

Drag-n-Vu™ also improves accuracy, reducing the potential for mapping errors that can drop links or create bottlenecks. With simple drag and drop deployment, it is easy to see what traffic is going where so the plan is deployed with complete confidence the first time. In fact, the process is so simple, it actually can be managed by network administrators, freeing up engineers for other more complex tasks. This saves OPEX in a budget-conscious world.

Since the entering of the Drag-n-Vu™ by Network Critical, the dark and looming menace of hierarchical port mapping and filtering has been defeated. The bright and colorful graphical user map from Network Critical is the bright star of security and appliance deployment. You can see the trailer to the Drag-n-Vu™ movie at www.networkcritical.com.

Posted: 12/04/2017 21:10:52 by Network Critical with 0 comments

March Madness


Welcome to March Madness. In the United States, the major colleges engage in a 64 team single elimination basketball tournament. The teams are assigned to brackets early and in March and many Americans fill out their own version of which teams will progress and which will fall away.

As the tournament progresses, fans need to follow the bracket changes and root for their favorite teams. This is done day and night throughout the month meaning that work time is also used to update brackets, manage office betting pools and actually watch games. With games now being multicast across a variety of devices it is easy to watch any team at any time. The estimated productivity loss for U.S. businesses during the month of March is about US$2.1 billion.

Another form of March Madness that is expensive to U.S. businesses is data theft. This cyber crime takes on many different personas but distracted employees are a favorite target. On March 2, 2017 NSC Technologies Worldwide was breached by a phony email scheme and employees sent the W-2 tax forms of all the company employees to the hackers. The W-2 form contains important personal information for each employee including wages and social security number. This information can be used by cyber criminals to file false income tax returns in the names of these employees and have the refunds sent to false bank accounts.

March, 2015 Morongo Casino among others fell to this scam. March 2016 the Main School System, Sunrun, Sprouts Farmers Market, Seagate Technology among many other firms were targeted. In fact this W-2 phishing scam is growing by 25% according to the Vice President of Data Breach at Experian. Why March? Because that is “tax season” in the US when employees are compiling their income data and forms to file with the Internal Revenue Service.

Here is what happens. The hackers sent phony emails to employees that looked like they came from the CEO of the company. The CEO, in the email, asks the employees to download a file with all the employee W-2 forms and send it to him immediately. Of course, the email was not really from the CEO so the employees who thought the email was real, sent all the W-2 information to the hackers.

Now, if you think about this scam you wonder. What were these employees thinking…or, were they thinking? There are two solutions to this problem. One is technical and one is personal.

Personal

I you work in Payroll compiling employee data and filling our forms, how often do you get emails from the CEO? How often does he ask you to send him information for which he already has full access? What on earth would the CEO of the company want with the W-2 form for every employee in the company? If employees would just use a little common sense and think about these requests, it would be pretty obvious that this request, at a minimum, should be vetted prior to being executed. Further, why do these payroll and finance employees have download access to all the W-2 files in the company? This leads us to the technical part.

Technical

There is no substitute for hiring smart, inquisitive employees. There is also no substitute for continually training all employees in computer safety, security and how to recognize potential scams. All employees should also be given safe email policies and procedures to follow.

But there are technical solutions to network security that should also be investigated, budgeted and deployed. One particular solution that fits in nicely this March tax scheme is Data Loss Protection (DLP). Data Loss Protection appliances connect to network links and allow policies to be set for what data can be downloaded, to what devices and who has download privileges.

For example, a social security number has the format xxx-xx-xxxx. A company can set a policy in the DLP appliance restricting any data with this unique format from being sent to certain devices. This appliance deployed with the proper policies could eliminate the possibility that employees could inadvertently send this critical information to outside requestors regardless of who they thought they were.

Now these appliances also need to bp connected in-line and work real time on the network. In order to set up DLP appliances and not impact network availability or reliability, intelligent TAPs should be deployed as the connection between the DLP appliance and the network link.

Summary

Hire inquisitive employees, not drones. Set prudent email communication policies and train all employees in policy and consequences. Deploy technology to prevent embarrassing and expensive breaches. The cost of robust network protection equipment and employee training is far less than enduring the embarrassment and expense of remediating critical breaches.

The teams that will survive the early rounds of the tournament and play in the “Final Four” will be the teams with a good game plan, smart players and strong defense…and the team that wins it all will also have a little luck as well.

Good luck on your brackets!

Posted: 30/03/2017 15:18:43 by Network Critical with 0 comments

What's the Worst that could Happen?


That question could be aptly described as the modus operandi for almost every security professional I know. But today, ‘fearing the worst’ has begun to creep beyond the realms of hypothetical scenarios and is far closer to a real, meaningful possibility.

We all know why cyber-crime has earned its place on the political agenda and why the threat of cyber warfare on a global scale is also enjoying its share of headlines. In some ways, it’s reassuring that the potential threat of a devastating attack has the visibility it needs. It’s been a long-time coming.

My main concern is that the common tone of the debate suggests that it’s tomorrows problem; in reality, the size and scale of the threat is too big to dismiss.

Virtual doomsday

And for all we know, our ‘virtual doomsday’ (when it all hits the fan), may not be in amongst clear political turmoil. It could just turn out to be an ordinary day.

Before you even have the chance to shower or grab some breakfast, one arbitrary glance at your phone to check your various social networks or news channels could notify you that they are all being held to ransom by denial of service.

With exception of course, to one dedicated channel which tells you that we are being attacked on a national scale.

Then you go to switch on a light, only to realize that the electricity supply has also been compromised and your local grid has been taken down. You’d like to make a pot of coffee to give yourself a sense of calm but the one remaining controlled newsfeed also tells you that there may have also been a chemical attack, so using the water supply could also be a bad idea.

By this point, you’ll probably have realized that it’s going to be a long day in the office and an even longer one if you represent our military forces. Our highly-networked U.S. Defense system has turned out to be a double-edged sword that (if an attack is well-timed or undetected) could do us as much damage as we could do to our enemies.

And with the potential for our combat systems to be affected, there’s a lot more at stake than being able to check your timeline.

With all this disarray, you may figure that there is strength in numbers, so you decide to brave-it and head into work, but the trouble is all public services have also been affected. The entire subway network is disabled, the roads are gridlocked in panic, gas stations are depleted and all airports are on high-alert because air traffic control has also been compromised.

On the one hand, you could dismiss this as a weak sequel to the Die-Hard series. On the other and in the cold light of day, it is well within the realms of possibility.

Strength in sophisticated numbers

If you take-into-account real-world attacks, that have included the ceasing of US Military email used by joint Chiefs of Staff, it shows how easily we are potentially brought to our knees in panic.

History says the bad guys like to hit us where it hurts and the devastating capability of cyber-attacks is only gaining strength.

One clear area where we can marginalize our risk is by beginning to share best practice more proactively and by bringing ideas to the table that instigate change for the better.

We may be increasing our ability to react in the event of an attack, but in order to go toe-to-toe with the bad guys, we need to diversify our approach and share ideas within what is, without exception an industry awash with intelligent, forward-thinking professionals.

The worst thing that can happen has become a possibility - the best thing we can do is to outsmart, outpace and outmaneuver; and that needs proactive ideas, followed by action.

You can join my closed-door LinkedIn Group – ‘The Cyber Defense Forum’, here.

Posted: 30/03/2017 13:18:10 by Network Critical with 0 comments

It's a Mod Mod World


With apologies to William Shakespeare, “To be (modular) or not to be (modular). That is the question.” Many network products from TAPs and Packet Brokers to security appliances and switches offer varying levels of modularity in their design. The associated advantages and risks with each design approach make for an interesting discussion.

Modularity The primary advantage to a modular design is flexibility. A product that is designed with groupings of ports in modules is a chameleon. A single chassis can support a variety of applications, speeds, media and connections. After the initial design, when needs and/or speeds change down the road, a complete system change is not usually required. One can simply replace one module with an different version to accommodate the new requirement.

A modular TAP is a good example. TAPs are used to efficiently connect security and analysis appliances to network links. TAPs offer secure and fail safe tool connections so network managers can protect, analyze and enhance network performance. However, many networks have a variety of physical connections, speeds and media throughout the network. Modular TAPs embrace a variety of connection requirements by making standard modules that fit in a single chassis. This way multi-mode fiber connections, single mode fiber copper connections, 1Gbps connections, 10Gbps, can all be accommodated by a single chassis.

This design also simplifies power requirements. Rather than racking up a number of different chassis each with its own power requirement, a single modular chassis can be racked and powered using different modules as required.

Another benefit is growth accommodation. Since the chassis is usually the least expensive component in this design, managers can deploy a larger chassis than what is currently required and add ports as needed down the line for growth.

Reliability is another consideration. While the design of a modular system may be very reliable, modular systems have more opportunity for human error by improper insertion of modules damaging connectors. Once everything is installed and connected, modular and fixed systems have similar reliability results. So, with proper training and care, modular systems can closely match reliability of fixed systems but human error must be more closely managed.

Modular systems add a little to manufacturing costs because there are more components and a more complicated design than a single use fixed platform. This extra cost may be mitigated by the benefits noted above. Over the long run, total cost of ownership may actually be lower than a fixed system.

Fixed Systems Even though modularity has many benefits, fixed systems have a place in the network equipment market as well.

Fixed systems are cheaper to design and manufacture. There are fewer connection points and fewer components needed to perform the required function. So, if the application is fixed and not expected to grow or change, some budget money may be saved using a fixed configuration system.

Reliability is generally good with fixed systems. There are fewer components and connectors that can cause problems. The installation and deployment functions are usually simpler with fewer opportunities for human error. Not that I say fewer opportunities for human error. We all know that no product is completely “human proof.”

Overall reliability relies on many factors including the engineering and manufacturing quality of the vendor. One of the critical issues with fixed systems is that if the product fails, there is no way to partially fix it. The solution to a failure is usually to return the entire system for repair or replacement. Depending on the criticality of the function, a failure may bring the network down or require severe work arounds until the product can be replaced or repaired. Modular systems, by comparison, may have replacement modules in local stock for simple and fast replacement of failed components.

Hybrids Many systems offer a hybrid solution providing basic port connections augmented by slots for a variety of application and connection requirements. The systems provide the best of both worlds in flexibility and growth and also similar, although less critical, problems associated with fixed systems.

There are some cost savings by integrating base connection functionality with the chassis. If the base configuration fits your needs this solution can be attractive. The extra slots, if flexible in speed, connectivity and media can provide for easy management of growth and network changes. Problems with the connections in the integrated base chassis may still require a system change but problems in the modules may be easily mitigated.

Conclusion The conclusion here is that “it depends.” There is actually no right or wrong solution when it comes to the fixed vs modular discussion. Like many other design issues, your specific requirements will guide the decision. It is important to look at all options in relation to what you are trying to accomplish and available budget.

The message here is that there is no substitute for thorough, thoughtful and meticulous planning. Chart our your needs for speed, media, connectivity, reliability, future flexibility, growth and cost. Search out a vendor that provides the solutions that meet your requirements grid.

Fortunately, companies like Network Critical offer solutions that are completely modular, completely fixed and hybrids. You will find a wide variety of network monitoring solutions in the Network Critical portfolio supported by a team of experts to help you develop and support your specific network needs. For more information or to talk with a network monitoring expert go to www.networkcritical.com.

Posted: 17/03/2017 13:44:07 by Network Critical with 0 comments