Improving security through a smarter infrastructure

Intelligent physical layer management can provide a host of benefits, including more secure networks.

Th 273152

Intelligent physical layer management can provide a host of benefits, including more secure networks.

by Carrie Higbie

Any network manager will tellyou the importance of a fully docu-mented network. Documentation should include all workstations, Internet Protocol (IP)addresses, router configurations, firewall parameters, and other data. But the documentation may fall short at the physical layer. In particular, older networks that have gone through many moves, adds, and changes (MACs) are not likely to have current documentation.

Th 273152
An intelligent system includes patch panels that are configured with a sensor pad above each port.
Click here to enlarge image

In real time—during a crisis—it can mean the difference between quickly solving a problem and wasting precious time locating that problem’s source.

A real-life crisis

For example, a customer recently had anissue with an errant device on the network. The company had a five-building campus network, and a laptop was creating a denial-of-service (DoS) attack from the inside due to a virus. The switch would shut down the port, and information-technology (IT) staff would go to the telecommunications areato determine the location of the mis-behaving device. But when IT got to the switch’s physical location, the physical layer—largelyundocumented—became an issue because short of tracing cable, there was no way to find the laptop’s location.

The IT staff began tracing the cables, only to find that the laptop was no longer there; the user believed his loss of connectivity was due to a network problem, and each time he was disconnected, he moved toanother location—only to find that he would soon lose his connection there, too.

In this scenario, the switches were doing their job by shutting down the user’s port. The user was “troubleshooting” his own problems. IT was having difficulty finding the user to correct the problem. And thecycle continued.

Points of compromise

At one point, the user concluded the problem must have something to do with the equipment on that particular floor, so he moved to anotherfloor. After being disconnected again, he decided the problem was with the building’s security settings—so, he moved to another building. Again, the cycle continued.

Roughly five hours later, the laptop and its user were found and the problems were corrected. For the IT staff, it was five hours of pure chaos; for the user, five hours of pure frustration.

In other scenarios, compliance and overall network security can also be compromised at the physical layer.Most companies have desks and cubicles that are largely unoccupied and used by staff members who can be considered transient. Conference rooms with available ports can also pose a risk. In many vertical markets in which compliance is required, these open ports can cause a company to fail its audits unless:

  • The ports are shut down completely, or
  • A means exists by which only certain users can gain access to the network through these connections.

The only other option is to firewall these ports from theactual network, which would mean a reconfiguration each time an authorized user wanted to use the port. All these risks and their remedies can be burdensome to an IT manager.

In the data center and telecommunications areas, technicians provide an additional risk if they accidentally unplug something. If, for example, the accidental disconnect was a Voice over IP switch or a critical server, the results would be devastating. What if a piece of equipment containing critical information is removed from a facility, as has been reported in the news many timesrecently? How does a network manager know who hasaccessed the network? Where did this person/these peopleaccess the network? How is access documented? And finally,how are MACs managed? These questions are not onlyintriguing, but also extremely challenging to IT managers.

The intelligent answer

Intelligent patching has been around for some time; how-ever, functionality has improved from the original releases. In any of the scenarios described above, an intelligent infrastructure management system would have allowed the network manager to right-click on the offending device, view the entire channel, and even locate the device on a graphical map.

An intelligent infrastructure management system’s graphical mapping capabilities include clear markings of outlet locations on computer-aided design (CAD) drawings. By adding the physical layer, network managers are no longer limited to upper-layer information. While knowing the mediaaccess control address (MAC address—not to be confused with moves/adds/changes), IP address, and logon information is helpful, should physical layer documentation be out of sync with the actual infrastructure, finding problem devices canbe daunting. Intelligent patching bridges that gap.

The intelligent system works through a combination of sensor-enabled hardware and software. On the hardware side, the patch panels are configured with a sensor pad above each port. The pad is connected to an analyzer via a connection on the back of the patch panel. A standard patch cord with an additional conductor is connected to the front of the system.

The patch cord has a standard 8-pin modular/RJ-45 interface or a standard fiber connector, but also includes a “ninth conductor” designed to contact the sensor pad. This additionalconnection allows the system to operate in dynamic mode by detecting changes in real time—thusremoving the human-error factor from documentation work as the continuity or changes in continuity provide real-time information to the database.

The system works with both copper and fiber, and is scalable to let end users purchase only what they need, when they need it. Analyzers are available in a variety of configurations as well. Software is purchased on a per-port basis and can work either as a standalone application, or integrated with an existing network-management package.

Th 273153
Each patch cord includes a “ninth conductor” designed to contact the sensor pad, allowing for detection of changes in real time.
Click here to enlarge image

In an integrated configuration, a device and its channel can be traced from within a network management package, such as HP OpenView. A simple right-click on the device and the software can be launched, showing an immediate trace of the physical cable. The trace includes all the information about the channel, including patch cords, where the channel terminates, and the number of connectors within the channel. It can also show the physical location of the device on a CAD drawing.

The software reads the object identification information for network devices through Simple Network Management Protocol (SNMP), and can also send SNMP (including Ver-sion 3) traps to shut down ports based on user-defined parameters. This provides great benefit when the physical layer isincluded. For instance, if you wanted to know the location of every personal computer on your network that is running Windows 2000, you could have that information displayed graphically as well as in report format.

The Virtual Wiring Closet (VWC) module provides documentation on the telecommunications rack, including connectivity, patch-cord length, and where each device is connected.It becomes a data dictionary for your racks and/or cabinets.

Work orders and security

A significant benefit of the intelligent patching system is that itwill track MAC work automatically, savingIT departments from the manual process of updating spreadsheets and documentation. The package also includes a module for work-order creation. Work orders can be dispatched, and the changes automatically tracked, allowing a manager to know when the work was completed.

The intelligent physical layer manage-ment system can also be integrated withother security systems, such as APC’sNetBotz or video cameras. Based on user-defined triggers—for instance, when someone unplugs a VoIP switch—a camera can snap a picture, write it on the log and, asyou would expect from management software, can provide alarms via e-mail, cell, or pager, complete with escalation for unanswered alarms.

Contacts can be placed on entrance doors to rooms or cabinets. As soon as the contact is broken, the same logging can initiate,including a photo of the log indicating date and time as well as photographic/videoevidence of the culprit.

In search of thorough answers

While this article explains a few of the features of an intelligent patching system, the overall benefits are significant. If we go back to the example described earlier, had anintelligent system been in place, a simple right-click would have saved five hours of chasing down a user. Not only would the documentation be up to date, allowing the network manager to know where thatswitch port terminated in the building, italso could have shown the location graphically. The IT staff very likely would have gotten to the user before his frustration began and he started moving from place to place.

Where security- and compliance-related issues are concerned, the additional documentation and logging abilities not only enhance a company’s security position, but also answer many of the compliance-relatedrequirements of documentation and access logging.

After all, most troubleshooting and investigations startwith who, what, where, when, why, and how. By addingthe intelligent physical layer to your overall management, the answers to these questions are easier to attain and more thorough.

CARRIE HIGBIE is global network applications market manager with Siemon (www.siemon.com).

More in IP Security & AV