Embracing Microsoft Vista for Enhanced Network Security from Lumeta

Fromanetworkdiscoverystandpoint,anaccurateinventoryofdevicesthatcantechnicallysupportIPsecis

critical.Itisimportanttoknowwhichnetworkdeviceswillneedtobeupgradedforcostestimationpur-

poses,butitisjustasimportantforimplementation,sinceinmanycasesIPsecwillbreakaccesscontrollists

(ACL s)ondevicesthatdonotsupportit. Sometimesthedevicehardwarefootprintwillnotallowadevice

tofunctionproperlyunderpeakloadsinanetworkrunningIPsec,soidentifyingnetworkhardwarethatcan

receiveaRAMupgradeisimportant.Understandinghowtrafficflowsatdifferenttimescanhelpidentify

potentialweaknessesintheinfrastructurethatwillcausesignificantbottlenecksonceIPsectrafficbeginsto

flowthroughaparticulardevice.Aneffectivenetworkdiscoverysolutionwillshowwhereallofthedevices

andACLsonthenetworkarelocated,reportontheirconfigurationsandprofiles,andshowhowtraffic

flowsthroughthem.

Fromahostpointofview,understandingwhichdevicesareconnectedtothenetworkandgatheringbasic

informationabouttheiroperatingsystem,services,andconfigurationiscrucialtosuccess.Havingthisinfor-

mationallowsnetworkmanagerstounderstandtounderstandwhichversionoftheoperatingsystemis

runningonWindowsserversanddesktopsforupgradeplanningpurposes,butthisinformationisalsonec-

essarytounderstandthebasicprofilesfornon-Windowsmachines,sincethesemachinesrepresentthebulk

oftheuntrustednetwork.IPseccreatesagreatdealofoverheadthatcouldcauseperformanceproblems

foranymachineintheinfrastructurethatlackstheperformancecapabilitiestorunIPsec.Thechallengeis

topinpointthesemachines,sinceinalargenetwork,hoststendtodisappearfrommanagement.Findingand

managingthese unknownanduntrusted hostsisperhapsthegreatestsinglefactorinreducingtherisk

profileofanSD&Imigration.

CreatingVisibilitythroughNetworkDiscovery

Clearly,enterprisesneedstrongnetworkdiscoverycapabilitiestocreatethevisibilityneededtoplan,exe-

cuteandmanageaWindowsVistaSD&Iproject.Andthoughthereareanumberofapproachesonecan

taketoobtainthisdiscoverycompetency,mostareeitherunfeasibleortoopronetomistakes.Manualdis-

covery,forexample,wouldprovetootimeconsumingand,inanycase,theinevitablehumanerrorswould

significantlyincreasedelaysandcostsforanymigrationproject.Automateddiscoveryusingtraditionalnet-

workmanagementauditingtoolscanplayaroleintheultimatesolution;however,thesetoolsareinsuffi-

cientbythemselves.Mostofthesetraditionalsolutionsonlyrespondtorequestsbasedonasingleprotocol,

andwillreturnresponsesforassetsthatrespondtowhatevermanagementprotocolisbeingused.SMS,for

examplewillonlyfindhostsinWindowsdomains.WhileMicrosoftrecommendstheuseofautomateddis-

coverytools,itacknowledgestheirweaknesses: Oneproblemwithautomatedsystems,however,isthat

hoststhatareoffline,unplugged,orotherwisephysically(orlogically)unabletorespondtoqueriesforinfor-

mationwillnotshowupinthefinaldatabase.Eventhemostautomatedsystemsrequireanelementofman-

ualmanagementtoensurethatthehostsareaccessibleandaccountedforcorrectly

Amulti-protocoldiscoverytoolwillfillinmanyofthesegaps,particularlyfortheuntrustedportionofthe

network,limitingtheamountofmanualdiscoverynetworkstaffmustperform.Standardizingonadiscovery

solutionthatshowsconnectivityinadditiontoassetinventorywillfindweaknessesintheinfrastructureand

insecuritypolicythroughoutthelifeofthemigrationproject.

EMBRACINGMICROSOFTVISTAFORENHANCEDNETWORKSECURITY

4 MicrosoftSolutionsforSecurityandCompliance(MSSC),ServerandDomainIsolationusingIPSecandGroupPolicy.Microsoft

Corporation.p.45..