Hospital gains network visibility by convincing vendors to collaborate

By Shamus McGillicuddy, News Editor 30 Oct 2008 | SearchNetworking.com

Network security news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

The core Nortel 8600 10 GbE switches in each of the two data centers were going to be connected to the New Hampshire hospital's campus network via Nortel's Split Multi-Link Trunking (SMLT) technology. Any host device could connect to either core switch at any time, which meant there was no longer a single chokepoint in the network. The IT organization could no longer place a monitoring device on a core switch and be assured that it had full visibility into the network, according to Mark Starry, manager of enterprise architecture and security.

"Once [the data centers] were built, how do I get a handle on the traffic now?" Starry said. "If you have two 10 Gb links going to a huge PACS [Picture Archiving and Communication System] area, and one link gets busy, it may send the next guy who comes on to the other data center through the interlink switch trunk. There's no way to predict where your traffic is going to go," he said.

More on network behavioral analysis Network behavioral analysis project deployment Tracking NetFlow over MPLS helps airline with compliance Invisible traffic that steals bandwidth NetFlow network monitoring tools

"In a clustered switch approach, it's not predictable," he said. "We're getting all these calls that this is slow and that is slow. Where do we start? To troubleshoot a network problem, you need both ends of things. You need to see not only the person who is transmitting something. You need to see the response. And if you don't hear a response back, how do you know where it was?"

At a conference, Starry encountered StealthWatch, a network behavioral analysis tool from Lancope, which could collect NetFlow data from anywhere in a network, regardless of how packets were routed through the two data centers. Unfortunately, at the time, Lancope supported only Cisco's proprietary form of the NetFlow protocol. Concord Hospital was mainly a Nortel network, and it wasn't inclined to rip and replace with Cisco.

"So I kind of talked to Lancope and talked to Nortel," Starry said. He encouraged the two vendors to work together to make StealthWatch run on IP-FIX (IP Flow Information Export), a nonproprietary, standardized version of NetFlow that Nortel was using on its newer switches. To convince Nortel to make its source code available to Lancope, Starry said, "I'm going to retrofit my network, spend all this money to rip out my [switch] blades and put in your new blades to support NetFlow, and I'm not going to do that unless you work with Lancope to get it working."

Nortel and Lancope agreed to cooperate to make StealthWatch run on Nortel's network technology. By the time Concord Hospital's new data centers were up and running, the product was ready to go. Starry installed the StealthWatch collector and a console into the network and had the visibility he was looking for. His staff instantly started solving network problems.

"Both my security team and my network team use it," he said. "Once something changes, we know about it. We get alerted. 'This PC usually only transfers 10 MB a day. Did you know it just sent 50 GB to the Internet?' That's just not right. We can actually see all the data flowing through our entire network and make decisions between what's good and what's bad."

Many users had been complaining that their PCs were running slowly on the network. With StealthWatch, Starry learned that hundreds of PCs were sending traffic to Slovakia. Instantly, he assumed he had a botnet problem. StealthWatch revealed something completely different.

"It turns out it was just some systems that were misconfigured," he said. "They were supposed to have RFC-type internal addresses, like 192.168. Instead, someone had typed 192.198 in there, which is a real Internet-routable address. And then they had imaged 500 machines with that. So they were going out to get their SLP scope from Slovakia instead of trying to get it here, and you're wondering why your PC is so slow. Then they went to the failover SLP that was in the hospital, and they finally connected."

Starry said the new visibility into his network will also help him with capacity planning. Most of his network closets have gigabit uplinks, but the hospital is moving to 10 Gb. StealthWatch will help him determine which closets are priorities. "Ten gigabit isn't cheap," he said. "So we're trying to figure out which links are being used most."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Tags: Network Monitoring,  Network Security Monitoring and Analysis,  Network Security Best Practices and Products,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Monitoring University tackles large-scale 802.11n wireless network management Meru reinvents wireless LAN troubleshooting and management Green enterprise: Three networking investments that make a difference Network device management overload: Engineers managing too many boxes What preventative maintenance procedures for network devices exist? WLAN QoS and SLA monitoring with 7/24 Wireless Quality Assurance costs How important are network infrastructure maps for engineers or admins? Understand Windows tracert output to troubleshoot network connectivity Network management and monitoring market remains crowded, fragmented When do applications suffer from poor network performance? Network Monitoring Research Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 10-high-day busy period  (SearchNetworking.com) ACK  (SearchNetworking.com) baseboard management controller  (SearchNetworking.com) call failure rate  (SearchNetworking.com) jam  (SearchNetworking.com) Jini  (SearchNetworking.com) maximum segment size  (SearchNetworking.com) maximum transmission unit  (SearchNetworking.com) netstat  (SearchNetworking.com) network tracking tool  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary