Regulatory compliance is no longer a simple afterthought for public companies – it is now a business-critical requirement that extends to the management of corporate networks.
In fact, according to a recent Gartner study, an estimated 10% to 15% of corporate IT budgets are now being directed to managing Sarbanes-Oxley Act (SOX) compliance needs alone. These percentages are not surprising, given that SARBOX requires ongoing diligence in the areas of data accessibility and network change management, with stipulations that all network changes, authorized or unauthorized, must be tracked and auditable. Furthermore, should a company or individual breach the regulations, fines of up to $25 million and 5 years in prison can be levied against the organization and its executives.
Tracking changes and updates to an enterprise’s IP address space is cumbersome; existing spreadsheets and home grown applications are not linked to DNS and DHCP and keeping these inventories accurate is increasingly difficult. The complexity of managing these networks is driving the need for dedicated IP address management solutions.
IP Address Management (IPAM) enables organizations to improve the availability of network applications (logical services) by eliminating network conflicts and outages. IPAM systems track critical assets and ensure network security through enhanced end-user visibility. Most companies have been operating without a formal IPAM solution, and many are now realizing they can no longer afford to go that route. Effective IPAM is more than spreadsheets or a custom database that is loosely tied to DNS and DHCP.
Beyond compliance with corporate use and access policies, IPAM plays a crucial role by helping organizations to comply with external regulations such as the Sarbanes-Oxley Act (SOX); a policy that is designed to tighten internal controls of financial reporting and enforce accountability through strengthened internal controls over the transfer of sensitive financial data across corporate networks.
IPAM solutions offer an efficient way for organizations to comply with corporate and security regulations – including SOX, GLBA, CPI, SAS 70 and HIPAA – by providing real-time and historical data about configuration management, network usage, resource availability, and network access control.
The Cost of Service Loss
Enterprises keenly appreciate applications such as the Web, e-mail, VoIP and CRM as critical to maintaining ongoing business operations. To this same extent, organizations must invest a great deal of time and resources to ensure the network is defended against threats, while taking measures to ensure that it is highly scalable and highly available.
According to Gartner Group, the cost of losing a mission-critical business application for a small organization (100 users or more) averages, between $106,000 to $183,000 USD per hour of lost revenue (Gartner Group, April 2005). Beyond the ability to provide uninterrupted service to customers, outages can lead to information loss that causes issues for compliance with external regulations.
Organizations must look at reducing the cost of compliance while improving network manageability and usability.
The Role of DNS and DHCP Services
IPAM solutions are responsible for maintaining accurate data on IP inventories and their related allocations through domain name services (DNS) and dynamic assignment (DHCP). Organizations must have real-time data about IP address allocation by configuration, zone and subnet, while also tracking MAC addresses, authorization access data and more.
In an effort to ensure high systems availability and business continuity, enterprises often focus too much attention to the physical design of the network. Organizations will go to great lengths to implement load balancers, redundant switches and firewalls, redundant internet connections yet they often overlook the importance of logical services which are integral to delivering corporate IP enabled communications. However, should DNS, DHCP services fail; the entire network will cease to operate.
When a switch or router fails, a network segment may be without service. If DNS fails the resulting service outage will span the entire network; this has a direct impact on the availability of mission-critical applications such as email, VoIP, Web, CRM, POS and Inventory Management Systems.
DNS and DHCP are mission critical services that must maintain the highest levels of availability. As applications and multi-mode communications such as VoIP converge on IP networks, ongoing scalability and reliability of the network come to bear.
DHCP greatly reduces the risks associated with misconfiguring internal static hosts and is a pivotal service used to deliver mobility and next generation applications such as VoIP and wireless communication. DHCP is not only used to grant IP addresses to IP phones and laptops but it is also used to validate the authenticity and identity of an end-user when combined with external authentication schemes such as LDAP/RADIUS/AD/Kerberos.
DHCP greatly reduces network complexity because IP allocation is no longer micro-managed in relation to DNS. This dynamic system of network host configuration ensures a more efficient utilization of increasingly scarce IP addresses through lease management.
Many first and second generation IPAM solutions focus on simply gathering abstracted sets of data on access controls, configuration management and event logging. Left alone these data sets may seem valuable, but they still require advanced analysis which further adds to the cost of compliance and slows response time for conflict or event resolution. Often, expensive third party analysis tools or manual scripting is required to make use of the data.
Next generation IPAM solutions offer improved retention of the correct data sets and improve enterprise-wide data integration while providing data accessibility and manageability.
Enterprises adopting such a centralized IPAM solution with built-in replication and high availability benefit from a solution that is not reliant on a single point of failure (i.e. the cluster master). Should any DNS or DHCP server on the network fail, the IPAM solution will manage the failover process for the affected network configuration.
Should the centralized IPAM appliance fail, the DNS and DHCP servers continue to operate in an uninterrupted state. Any changes made to DNS and DHCP while the IPAM appliance is offline are staged and then sent to the IPAM appliance once it is back online. This ensures the IPAM model, IP inventories and associated configurations are kept up to date without service interruption.
What IPAM Done Right Can Do For the Enterprise
IPAM is a framework designed to simplify the management of IP inventories, while managing dynamic IP addresses and name services. Done right, IPAM is not merely responsible for cataloging IP allocations but should give organizations multiple perspectives on the topology and configuration of the network, to extend its capabilities and guarantee a high level of service provisioning. In fact, IPAM functionality enables organizations to not only maintain corporate service level arrangements (SLAs), but also comply with external regulations imposed by government agencies in a cost-effective manner.
About the Author
As Director of Product Management at BlueCat Networks, David is responsible for managing the company’s complete line of DNS, DHCP and IPAM appliances. David can be reached at firstname.lastname@example.org or at 1-866-895-6931. Information on BlueCat Networks is available at www.bluecatnetworks.com.