Keeping on top of the network

These are hard times for network managers. Ebusiness means an escalation of traffic more diverse and critical than ever. Organisations also require new management strategies - software tools, outsourcing, policy-based networking - in ever greater numbers.

Network management is the single biggest operational problem for 38 per cent of businesses, according to Forrester Research. "Even though the internet is a growing component of operations, keeping internal networks running remains IT management's focus," says Frank Prince, a research analyst at Forrester.

Network management is becoming increasingly costly as enterprise networks extend their reach - and not just from a purchasing angle. The average large enterprise loses $3m each year in staff productivity alone through wide area network (Wan) downtime.

To help you through the maze, Computing has identified four key areas that affect the management of your networks: ebusiness, bandwidth, security and outsourcing. We explain the challenges you and your network manager face, and how technology can help you.

Ebusiness
Once upon a time, buying a piece of network management software from Tivoli or Computer Associates was all you had to worry about. With the growth of ebusiness, however, the stakes have changed; networks are wider and failures become immediately apparent to partners and customers.

Ebusiness increases the cost of downtime exponentially. When eBay suffered a 22-hour blackout, for example, $2.25bn was wiped off its share value. Consequently, businesses require specific network management strategies that can monitor performance of internet connections. The key product in this sector is mapping software, which can monitor data speed at every point between the customer and your back-end systems.

Carrier 1, a UK ISP, uses Riversoft, which provides managers with a real-time representation of performance. "It lets us take a proactive approach to management and saves time identifying faults," says Paul Wynne, director of internet operations at the company. "This minimises the impact of network management on the business as a whole."

Policy-based management is another option, and one that analysts predict will become increasingly popular. The method lets managers define global rules about how different types of traffic are prioritised on the network.

"This will become important as you start protecting the most important ebusiness applications from the less critical internal applications," says Caryn Gillooly, director of research at researcher and management consultant the Hurwitz group.

This means that the network manager can specify applications, such as email, where some degradation of service is inconsequential, says Dean Hickman-Smith, European managing director of Layer 5 Software. "Bandwidth priority is given to applications where degradation would be really noticeable, such as multimedia."

But policy-based management doesn't come cheap: Layer 5's software costs about $14,000 a shot, and a company may need to buy up to 150 licences to cover its entire network. One early adopter of policy-based management is Friends Ivory & Sime. The fund manager rolled out Novell's network management suite to support a virtual private network linking the company's UK offices to New York and Hong Kong. The implementation will save 70 per cent of the cost of a leased line, says Kevin McGuire, the firm's IT manager.

BorderManager is used to manage traffic at the border between the corporate network and the internet, and the company will shortly deploy Novell's ZenWorks for servers and networks.

"ZenWorks will enable the move to policy-based networks," McGuire says. "We will be able to prioritise traffic at a granular level around the network, giving preferential bandwidth for selected back-end applications over the net. This provides the benefit of a high-bandwidth network when you need it, without investment in new infrastructure."

Bandwidth
The most common explanation for network downtime is bandwidth problems. Napster did more than make a millionaire of its inventor; the music download site has caused countless headaches for IT departments. Napster hogged 61 per cent of bandwidth capability at Indiana University last month.

"Bandwidth abuse is an issue for companies big and small," says Kerry Stackpole, president of the Ebusiness Forum. "You want to make the best use of your bandwidth because you have to accomplish the real business of the organisation."

Three-quarters of IT managers will increase their bandwidth this year, according to the Hurwitz Group. And that is only the beginning. The only way to stop your organisation embarking on an ever-increasing cycle of bandwidth spend is to maximise the performance of the bandwidth already available.

This starts with good basic management, says Robin Bloor, chief executive of analyst the Bloor Group. "Any company that lets employees download Napster, or anything else, should sack its network manager on the spot," he adds.

An important step is to implement technology that controls the flow of information across the network - namely switching.

Bloor likens network traffic to a motorway with several lanes of fast-moving traffic. Poor bandwidth management is the equivalent of sending a series of 50-mile long lorries down the road. Switching can divert that traffic onto quieter roads. Switching products are available from the main network vendors, including 3Com, Lucent and Nortel. The trouble with these products, however, is that they lack intelligence and need to be configured.

A new breed of software tools can supplement the role of switches in network management. Desktalk's Trend Software, which is used by Anglian Water, monitors traffic flow across the network and produces reports on how well bandwidth is being used.

Similar products include Border Manager and GroupShield. "The Big Brother approach is the most efficient way of ensuring that your network is running at optimum performance level," says Paul Donovan, European managing director of Desktalk Systems.

Filtering software goes a step further by using 'packet sniffing' technology to block data packets which breach company policy . Products such as SurfControl intercept bandwidth-hungry packets and will allow or disallow the network connection to proceed according to centrally-defined rules.

An alternative strategy is to redistribute network content to optimise bandwidth performance. Inktomi's software lets companies take the most popular internet content, such as download files, and deliver them closer to the user, on local servers.

Security
The days of feeling safe because you have a firewall are history. A typical website is live for just 20 minutes before someone attempts to hack it, according to the Bloor Group. Hackers are getting through firewalls at the application layer; they are finding holes in badly secured remote connections; they are walking in the front door as employees.

Network security began with a firewall protecting the perimeter, but this is no longer sufficient, says Craig Thomas, IP solutions marketing manager for network integrator Alcatel. "Firewalls and routing filters do a great job of protecting the Lan from attack, but do nothing once data crosses into the public network."

The internet has made large companies aware of the need for intrusion detection systems and other internet-centric products, such as content and URL filtering servers, network virus scanners and vulnerability scanners which augment network security by examining data that's passed through the firewall.

When British Gas rolled out an upgraded Wan for its service engineers, the company supplemented OpenView network management tools from Hewlett Packard with a trusted host password system and limited outward traffic through secure routers to specified network nodes. Honeywell, the company's network service provider, implemented a system that alerts British Gas to security breaches, and can identify originating nodes. "Diligent security monitoring means that problems can be identified before they affect our business," says Terry Dudley, IT customer support manager.

In practice, security is often a trade-off between a variety of factors and the ability of an organisation to control end users, says Aaron Settipane, a BBC IT co-ordinator. In this respect, the latest releases of Microsoft's Windows and NT have helped many administrators, he says. "If they configure their workstations properly, they can lock out a lot," he says. "But it also creates a lot more maintenance," he adds.

Vendors are addressing the problem with security frameworks - platforms that consolidate multiple security functions. These products integrate firewalls, virtual private networks, intrusion detection systems, virus-scanning, and URL filtering into a single product.

The promise of frameworks is that they simplify network management with centralised management and administration, while offering automated intelligent event processing and correlation.

The situation is not helped by the fact that there are two differing security platform standards: CheckPoint's open platform for secure enterprise connectivity (Opsec) and Alcatel's internet protocol security (Ipsec).

CheckPoint's integrated firewall, virtual private network and security package (version 1 or 2) is the market leader, followed in popularity by similar products from Axent, IBM and Network Associates. These offer basic integration between diverse products such as firewalls, intrusion-detection systems and virus scanners.

Outsourcing
With all this to juggle, perhaps it's best to leave network management to the experts. Some 22 per cent of businesses outsource network management, but this figure rises to 46 per cent for general internet services and 44 per cent for extranets, according to Forrester Research. "By 2005, corporations will need management services, not management tools," says Prince. "Services will manage ecommerce transactions in a meaningful way. Tools will merely tell managers whether servers are up or down."

A second factor driving network management outsourcing is the skills shortage, says James Dell, director of Parallel, a network services provider. "Using internal teams can mean that companies lose money because of fire fighting and improperly-tuned Wan configurations," he says.

Insurance group Royal & Sun Alliance made the decision to outsource its systems and network management to ICL when it rolled out a new life policy administration system, called Unisure, to replace its IBM mainframe system.

Consultants implemented Computer Associates' Unicenter, which offered the required cross-platform support and the security essential for a financial solution.

"It was a complicated rollout - the first time in the world that Unicenter had been implemented on a mixed Sun and Sequent environment. We chose to work with ICL on Computer Associates' recommendation," says Chris Beazer, internal IT consultant at Royal & Sun Alliance.

In addition to automating routine network management, which had previously been performed manually, ICL can monitor network performance on Unix systems, alerting operational staff to exceptional conditions. The system allowed the automation of routine network management, which would otherwise have been performed manually.

While the company admits to some problems with the software, the presence of outsourcers was a comfort, says Beazer. Royal & Sun Alliance now has probably one of the largest implementations of Unicenter TNG in the world, with 3300 defined users and some 8000 job specifications.

When it comes to high-availability networks, there's no single answer, just as there is no single point of failure. While IT directors implement best practices to improve their chances, it's still a gamble.

There are simply too many factors that can bring down the network. The only sure things are planning and preparation.