Remote access users have multiple needs: connectivity, security, wide availability and performance. However, in a similar way to Abraham Maslow’s Hierarchy of Needs, the higher needs are not demanded until the lower needs are met. As the lower needs have been achieved for many of us, the highest need – performance – is what we are now demanding.

I started business travel over 20 years ago. I remember carrying around various plugs for different telephone systems (and more than one for many countries), along with a screwdriver and a pair of crocodile clips when the only way to gain access to corporate information (usually just email in those days) was to take the hotel’s telephone apart and wire the PC straight in. The game in those days was being able to shriek, whistle and hiss to start the modem …didn’t we have fun back then!

In the meantime, standardization on the RJ-11 plug and jack in most hotel rooms, the increase in bandwidth, the reduction in pricing, data over mobile and built-in wi-fi in laptops and the almost ubiquitous wi-fi networks have eased the problem of connectivity.

When connectivity was difficult (or sometimes impossible), the user didn’t worry about security; there are no security issues for a system that’s unconnected. But with the rise of connectivity, so came the growth in viruses, the problems of spyware and phishing, and the waste of time caused by spam and other threats to networked systems.

Fortunately, the industry has come up with many desktop security applications, such as anti-virus software, portable web filtering, locking down of PCs to prevent malicious applications from installing and disk encryption in case a laptop is mislaid or stolen. Most users now trust that their work systems are configured to resist most attacks, so even those that were unsure about the safety of connecting remotely are logging in when traveling.

This is where the third need appears. We are not just happy with connectivity and security; now we want availability. Availability can be seen in two dimensions: worldwide 24x7 availability and the availability of applications. The growth in wi-fi networks has made the first almost a given, from the rural bar with one waitress that announces “free wi-fi here” on its blackboard to the wealth of options in cities. I was in Shanghai last year and from my hotel room I had a choice of around 40 wi-fi links, most of them open and free. Availability of applications has been driven by users. Just accessing email is not enough; we see no reason why the applications we use in the office are not available to us outside. Personally, I can access our Oracle system, CRM, all of our shared servers and every other key application wherever I am and whenever I want it.

So here we are at the highest level: performance. “Why is access so slow when I am out of the office?” is the cry from the sales manager. “Do you know how expensive my sales people are?” They forget that just a year or two ago, even accessing the sales application was impossible. Now they want it remotely just as fast as in the office “or faster, if you can” they will add with a smile.

Luckily, the industry is coming to our rescue again. Vendors of WAN optimization technology make devices that accelerate data to regional and remote offices. These companies usually sell appliances that remove repeated requests from the network and optimize the protocols to reduce unnecessary data round-trips from the WAN.

A number of these companies have announced, and a few are shipping, client software to extend that benefit to the traveling user. This is delivered as a small application on the remote PC that caches email and file server traffic, hides the inefficient protocols of TCP, CIFS and MAPI and compresses the traffic before transmission. It thus accelerates data to the remote user and saves WAN bandwidth in the process.

As always with new technologies, there will be a rush to add more features and some initial offerings will be fairly basic. Some will not work with SSL VPNs; some will not be able to accelerate SSL data; and perhaps specific applications (such as Citrix) will fool others. In addition, the organization needs to be able to centrally manage acceleration policies and distribution and installation/updates of the applications. In addition, as organizations want few client applications on the PCs, customers have been requesting the integration of acceleration and security. Only some vendors are likely to achieve that level of integration.

CIOs should consider this type of technology to help their traveling users be more productive when out of the office. But it’s also necessary to have a clear set of requirements to ensure that the application supports the organization’s key business functions.

Nigel Hawthorne is VP, EMEA Marketing, Blue Coat Systems, +44 1252 554651; email: nigel.hawthorn@bluecoat.com; web: www.bluecoat.com.

As corporate employers demand more of their employees, employees are demanding more of their employers. Fringe benefits are a way to meet the mutual employment demands. Fringe benefits offer an employer another way, aside from just salary, to recognize an employee’s market value, duties and responsibilities and corporate contribution. For the employee, employment perks, in a variety of forms, can sweeten a compensation package financially and provide the employee with the motivation to achieve the employer’s long-term and short-term corporate goals.

An area where the inclusion of fringe benefits is particularly apparent is in the compensation packages of IT executives. In 2007, based on some of the latest proxy statements filed with the Securities and Exchange Commission, some of the nation’s top IT executives received, in some cases, an additional $100,000.00 in fringe benefits. These top earners negotiated, as part of their overall million dollar compensation, employer payment of retirement savings contributions, financial planning advice, life insurance premiums, and personal use of the corporate aircraft. Some IT executives’ perk packages included transportation allowances, club dues, home security systems and executive physicals. In the case of a sought-after foreign executive, the employer assumed responsibility for the executive’s immigration fees.

IT employment candidates should be mindful of current trends and happenings in the executive compensation arena when negotiating an employment package. According to CIO Magazine’s November 16, 2007 article entitled “CIO Compensation Includes Lots of Perks” by Kim S. Nash, of the thirty-nine identified millionaire CIOs in 2007, twenty-three received retirement/savings contributions as part of their overall employment compensation package. Fifteen members of the 2007 class of millionaire CIOs received perks in the form of life insurance premiums. Much less common as part of the millionaire CIOs’ employment packages were employer-provided payments for health screenings or physical exams with only six members of the 2007 class of millionaire CIOs reporting such contributions in the latest proxy statements. The perks paid to the millionaire CIOs reflect the flexibility of the executive compensation negotiation process. What is an important component in the employment compensation package to one IT executive might be of little interest to another executive. However, current trends suggest a willingness on the part of employers to make generous retirement contributions.

While we recognize that not every employer has the resources to offer its employees compensation that includes such rich perks, the recent payment of generous fringe benefits to America’s highest-paid IT executives underscores for all executives that fringe benefits provide the employer with another way to bring new executive talent into their fold. Prospective employees should not overlook this trend.

When an employer identifies an employee as a good match for the company, there can be a great deal of flexibility, outside of just salary and bonus. The payment of fringe benefits can allow the employer to fashion a compensation package that provides the employee with compensation and benefits that are commensurate with the employee’s skills and responsibilities while protecting the assets of the employer and its shareholders. From the employee’s perspective, perks are a valuable tool to tap to achieve the financial goals other than through salary and bonus. That means that with fringe benefits there is a greater likelihood of meeting the goals of both the employer and the employee.

The IT executive employment package should also address, where applicable, IRS rules on deferred compensation, change of control and related tax indemnities.

David T. Harmon, Esq. (dtharmon@nmmlaw.com) is a partner at the law firm of Norris McLaughlin & Marcus PA and is the Co-Chair of the firm’s Executive Compensation and Employee Benefits Group. Mr. Harmon is also a member of the Board of Directors of the Wall Street Technology Association. Rachel A. Wingerter, Esq. (rawingerter@nmmlaw.com) is an associate at Norris McLaughlin & Marcus PA and is a member of the firm’s Executive Compensation and Employee Benefits Group.

Wall Street has always been where the action is when it comes to technology. Over the last 20 years, there have been “bangin” waves of technology on Wall Street and the IT professionals have been the “surfer dudes” riding those waves1. But the currents are changing in IT. Is it possible that Wall Street will miss the next wave or worse yet…wipe out?

The first IT wave on Wall Street was real-time market data…and it was gnarly! This wave created Reuters, hundreds of start ups, and the current mayor of New York. The concept was transformational. Collect pricing and transaction data from financial exchanges around the world. Consolidate and present that information on a series of computer screens. Add in powerful analytical tools. Correct any data inconsistencies. And do it all in real time. Market data spawned huge IT departments, billions of dollars of spending on technology, and tremendous wealth creation opportunities for market participants.

The second wave was all about automated trading and it was like “riding the tube”. It started with algorithmic trading that turned quant jocks into the Big Kahunas. Computer models were built that executed trade orders based on market conditions and the underlying investment strategy. Thousands of hedge funds emerged. Order management systems became mission critical. Most recently, the rage on Wall Street has been eliminating network latency from trading systems. IT departments are loading trading applications on servers and placing those servers as close as possible to the servers of the trading venue. Then they press the “on” button and hang ten.

A new wave is coming to Wall Street that could end up pounding the IT professional – rich media content. For the first time in decades, college students and teenagers may have a better understanding than the IT veteran of the business opportunities that can be created by new media technology. Social networking. Web 2.0. Podcasts. Wikis. Blogs. Streaming media. Content monetization. Think of this new media content as community applications. And at their core, communities are what Wall Street loves -- markets.

What to do next? Rich media is just an enhancement to the application and IP networks that Wall Street has perfected over the years. Wall Street has real-time global IP networks for collecting and distributing market data. Wall Street has high-performance servers and storage interconnected with low-latency networks for executing trades. The next step is to add a media layer to this infrastructure model that supports streaming, caching, and live delivery of content. Then a new breed of applications can be rolled out that taps into the collective power of the community marketplace. Even better, Wall Street has a track record of being able to monetize content (aka market data) so there should be no problem monetizing new media content.

The next IT wave approaching Wall Street is called rich media content and it's fat! Are you going to ride the wave or turtle?

_______________________________________________

For a glossary of surfing terms, visit Rippin H2O at http://rippinh2o.com/dropzone/surflingo.shtml

Jim Leach is a Vice President at Internap (www.internap.com). He can be reached at 404-302-9755 or jleach@internap.com.

For application performance across the WAN to improve, the WAN must behave more like a LAN. The technologies delivered by best-in-class integrated application acceleration solutions include compression and caching, acceleration, integrated QoS, application control, and an integrated configuration, monitoring and troubleshooting management application. Along with broad application support, this integrated approach allows IT to successfully provide LAN-quality application delivery across distributed enterprises.

Increasing WAN Capacity

The classic option for increasing the size of the WAN link is to upgrade the capacity of that constrained link. However, this option can be prohibitively expensive or entirely unavailable. Compression and caching offer a far more cost effective and timely solution to gain instant WAN capacity on the existing network.

Speeding Transmissions

To speed transmissions across the broadest range of business applications, application acceleration platforms need to overcome the impact of latency. To overcome delays caused by latency, an application acceleration platform requires both TCP acceleration and application-specific acceleration. Several TCP acceleration techniques can be implemented to benefit applications based on either short-lived or long-lived TCP connections. These techniques include:

• ‑Reducing round trip time (RTT) from TCP connection setup

• ‑Terminating the TCP connection local to the sender and using an efficient transport protocol between acceleration devices themselves

• ‑Use of recovery packets to allow reconstruction of lost packets

• ‑Pipelining data blocks and web objects to acceleration Microsoft Exchange, Microsoft File Services, and web-based applications

Quality of Service (QOS)

Since speeds between the LAN and the WAN differ widely, no amount of compression or acceleration will solve all problems. Contention for WAN capacity is a very real problem that must be addressed with an effective QoS and bandwidth allocation model that enforces business priorities. In many circumstances the WAN optimization and application acceleration platform is the best point in the network to perform QoS and bandwidth allocation.

Using Multiple WAN Links

Enterprises increasingly seek to take advantage of hybrid public/private WAN transports, while ensuring that key performance criteria will still be met. To make effective use of both paths, IT needs to apply business policies to each link and monitor their performance. A comprehensive application acceleration solution should enable IT to define which applications traverse which link and under what conditions.

Complete Monitoring

Defining policies for optimizing traffic flows over the WAN requires that IT understand the actual traffic flows. Monitoring tools that provide centralized, role-based management of distributed applications and networks are essential to effective application delivery. At a minimum, monitoring tools should provide visibility into such aspects as packet size distribution, error rates, throughput statistics, and TCP and application acceleration data.

In conclusion, to support the new initiatives enabled by Service Oriented Architecture, Software as a Service, Web 2.0, and other new application technologies, WANs must have the reliability and speed of LANs. This can be accomplished by deploying a number of tools, but to do so cost effectively requires the deployment of integrated networking tools that provide multiple services in a single device. These application acceleration devices are deployed in your existing network, elevating performance and availability, while protecting your existing investments.

Doron Abrahami is Senior Marketing Manager - Global Banking and Financial Services at Juniper Networks, 201-913-9975; email: dabrahami@juniper.net;web: www.juniper.net.

Layer 3 MPLS VPN services are delivered by service provider IP/MPLS networks organized into a core of provider (P) routers and a layer of customer-facing provider edge (PE) routers, which connect to enterprise customer edge (CE) routers located at VPN-connected sites.

While outsourcing the WAN backbone to an MPLS VPN service offloads its management to the provider's shared infrastructure, it also results in the enterprise's WAN backbone residing primarily in the service provider’s routing administrative domain, making its inner workings invisible to the enterprise network manager. The resulting lack of WAN management visibility can impede effective troubleshooting of application delivery problems and sometimes make it hard to figure out whether a network issue is stemming from the service provider or the enterprise part of the picture.

The nature of the MPLS VPN customer-to-provider interface – a highly dynamic and complex Layer 3 IP routed peering – complicates the visibility issue since network managers must ensure not only that CE to PE links are “up” from a Layer 2 point of view, but that there is proper Layer 3 routing over these links and through the VPN “cloud”. On top of these factors, the most common routing protocol used in MPLS VPN CE-PE peerings is the Border Gateway Protocol (BGP), which is complex, difficult to analyze and easy to misconfigure.

Unfortunately, traditional multi-minute SNMP polling cycles aren't equipped to monitor VPN route advertisements and withdrawals that can happen within milliseconds, so the tools that most network managers have to monitor their network can not provide much in the way of WAN management visibility.

Given these challenges, how then do network managers get the information they need to monitor VPN routing and reachability issues and determine whether a problem is being caused by the enterprise or the provider? How can they be sure their VPN is not getting mixed with another customer's, and that their VPN sites are routing properly through the VPN? Without visibility into these issues, enterprises and their providers can get caught in futile finger-pointing.

Enter route analytics technology. Route analytics works by forming peerings with a few key routers on the network, listening passively to and recording every routing protocol (BPG, OSPF, EIGRP, IS-IS) exchange and update, and creating a model of the network that is as accurate and up to date as the network itself. Users get a "router's eye view" of Layer 3 connectivity and reachability. In the case of MPLS VPNs, route analytics peers via BGP with the CE routers and receives all the routing updates that the CE router receives from other CE routers via the MPLS VPN. Route analytics never advertises routes or makes any changes to routing in the network, so it can not adversely affect connectivity.

Route analytics helps monitor some key management criteria for ensuring the proper function of a MPLS VPN backbone:

• ‑Remote Site Router and Network Reachability: “How do I know if my CE routers have a proper routing connection to the VPN and that the networks behind them are reachable?” By monitoring the real-time ebb and flow of advertised or withdrawn prefixes from the MPLS VPN, route analytics can rapidly detect if a remote site is offline from a VPN routing point of view, or if a routed network at any given site has become unreachable.

• ‑VPN Privacy and Integrity: “How do I ensure that my VPN is being mixed with another VPN customer network inside the service provider cloud?” By monitoring thresholds of newly advertised or withdrawn routed prefixes in the network, and by examining Autonomous System Numbers (ASNs) connected to the VPN, route analytics can quickly inform network managers if there is a potential breach of VPN privacy that may have occurred within the service provider’s network.

• ‑Forensic Analysis of Reachability Issues: “How can I see exactly what happened in the past, to solve problems and give customers forensic information?” Since route analytics keeps a rewindable and replayable history of all routing changes across the entire network, network managers always have a complete forensic repository to draw on for analysis purposes and in order to keep their providers accountable for issues that are clearly caused by the provider’s network.

• ‑Remote site IGP (Interior Gateway Protocol) monitoring: “How do I get insight into potentially complex routing issues within the remote sites?” Since route analytics can analyze all major routing protocols across all parts of the network, network managers can now easily understand complex Layer 3 and routing issues occurring at remote sites or campuses.

The move to MPLS VPN services need not mean a complete loss of WAN management visibility. By deploying route analytics technology, network managers can accomplish their network outsourcing goals while still retaining the management information needed to ensure application delivery and performance.

Alex Henthorn-Iwane is Vice-President of Product Marketing at Packet Design Inc., 650-739-1850; email: alex@packetdesign.com; web: www.packetdesign.com.

There is no surefire recipe for enterprise adoption of mobile technology. Nevertheless, the appetite for wireless technologies continues to rapidly increase in the enterprise. The upshot of an environment with a mixture of mobile technologies is convergence. While it may be difficult for the enterprise to understand the mobile convergence landscape, given all the shifting components, realization should begin immediately.

Enterprise innovation and tactical capability will be the end product from merging mobile technologies and introducing new architectures in which multiple wireless technologies can co-exist. Still, converged mobile architectures are fundamentally premature and are not entirely ready to impact the enterprise. However, mobile convergence will not take long to mature.

Various connective mobile technologies make up the ingredients of converged mobile architectures. Connective mobile technologies include Wi-Fi, WiMAX, GSM, CDMA, UMTS, Bluetooth, LTE, and others. In addition, quite a few compelling architectures include the union of enterprise telephony technologies along with mobile technologies. The demarcation point between enterprise voice and mobile technology is becoming transparent.

Why Mobile Convergence?

Today, enterprise employees are faced with technology obstacles that set back productivity. The first hurdle is the disconnect between mobile devices and enterprise telephony technologies. Converged mobile architectures smash down the walls between enterprise voice and mobile handsets. The result is a tight integration between the enterprise PBX (Private Branch Exchange) and enterprise mobile devices, which leads to employee happiness.

No longer would enterprise employees be required to manage voicemail on their mobile device and voicemail on their office desk phone. No longer would enterprise employees be required to deal with multiple phone numbers.

The first step for an enterprise should be consulting their enterprise PBX vendor(s). Leveraging current enterprise telephony infrastructure is the best practice. Most of the major PBX vendors already have established mobile convergence products or are working towards PBX extensibility. The outcome is single number reach-ability and one voicemail container, along with opportunities for advanced Web2.0 collaboration features, such as presence.

For enterprise environments that have legacy PBX environments or a mixture of voice telephony vendors it may be healthier and provide more flexibility to employ an agnostic middleware solution rather than solution(s) from silo-focused PBX vendor(s). In addition, mobile service operators and mobile handset manufacturers have direct stakes in mobile convergence architectures and in some cases are introducing enterprise mobile convergence solutions alongside enterprise PBX vendors.

Mobile ConvergenceArchitectures

Mobility convergence solutions are, in general, not unfamiliar in an enterprise environment. They typically follow the traditional client-server model. For instance, a soft “mobility” client is installed on the mobile handset which works in cooperation with a “mobility” appliance/server which acts as a gateway between the enterprise PBX and the mobile service operator. This is the basic architectural approach.

Furthermore, many enterprises already have mobile convergence success stories. Most enterprises have successfully extended enterprise email to mobile handsets. The concept of converging enterprise voice with mobile handsets is essentially the same as the above model. Is it unimaginable to consider the same mobility for enterprise voice? The answer is no.

Dual-Mode Handsets

Mobile convergence architectures taken a step further, beyond straightforward PBX extension, incorporate dual-mode handsets. Dual-mode handsets support multiple connective mobile technologies, such as devices that support both Wi-Fi and GSM, or WiMAX and CDMA.

Dual-mode handsets are appealing for the reason that connectivity by means of more than one connective mobile technology is now possible. Taken a step further, dual-mode handsets are even more interesting when considering seamless cross-network roaming. An enterprise with a corporate wireless local area network can take advantage of dual-mode devices for locations where connectivity by other means is not possible. For some lines of business pervasive enterprise voice is priceless and dual-mode handsets provide a level of redundancy and alternative voice medium which has otherwise been nonexistent.

Mobile Handset Manufacturers

Handset manufacturers are releasing substantially more dual-mode handsets. However, the ongoing challenges faced by the dual-mode handset manufacturers include increased chipset costs and handset battery life limitations. At the end of the day, dual-mode handsets have a higher total cost of ownership (TCO) and are less efficient. In spite of the higher TCO and battery life drawback, users are continuing to embrace dual-mode handsets. The motivation may perhaps be to bridge enterprise voice and mobile technology, such as single number access or perhaps to sidestep mobile service operators.

Mobile service operators have much to gain through enterprise mobile convergence. The benefits are compelling to the enterprise and profitable to the mobile service operator from end to end (i.e., dual-mode handset sales and mobile convergence product sales). Today, several mobile service operators are introducing and/or developing mobile convergence solutions by means of UMA (Unlicensed Mobile Access) or IMS (IP Multimedia Subsystem) / VCC (Voice Call Continuity).

In a nutshell, UMA unites unlicensed connective mobile technologies, such as Wi-Fi and Bluetooth, with licensed connective mobile technologies, such as GSM and GPRS. One gigantic shortcoming of UMA is that current specifications do not deal with CDMA, which is the inherent connective mobile technology for two US mobile service operators and several international mobile service operators.

IMS/VCC is a more encircling mobile convergence architecture, without the drawbacks of UMA. The handover between Wi-Fi and GSM is more seamless by incorporating IP/SIP network elements into the design. This helps other network elements focus on their primary functionalities. Furthermore, IMS/VCC enables opportunities for innovative and strategic capabilities, such as advanced enterprise collaboration and multimedia features.

Conclusion

Enterprises should evaluate side-by-side mobile convergence solutions from their enterprise voice PBX vendor(s), mobile service operator(s) and mobile handset manufacturer(s) and strongly take into consideration agnostic middleware vendors. Next, it is important for an enterprise to identify the range of mobile handsets in scope and make certain that the “mobility” clients are compatible with the mobile handsets and mobile operating systems. Finally, determine which mobile convergence architecture is best suited to bring together enterprise voice and mobile technology. Finally, consider enterprise PBX extensibility with mobile handsets first and then plan ahead for dual-mode handsets and advanced collaboration features.

Scott Slater is in the Advanced Engineering group at The Bank of New York Mellon (www.bnymellon.com).

He can be reached at scott.slater@bnymellon.com or212-815-5231.

At the same time, the shift to a data-center-centric model for enterprise computing continues to increase the importance of the reliability, scalability, and management of the underlying WAN infrastructure. Enterprise organizations must plan for these changes, and must concentrate on obtaining WAN services capable of meeting these changing requirements, including MPLS, Carrier Ethernet and VPLS.

The enterprise migration to data-center-centric computing has led to the creation of three distinct classes of enterprise WANs:

• ‑Data center-to-data center: comprised of high-bandwidth, low-latency services such as Ethernet metropolitan area networks (MANs), wave division multiplexing, and line-of-sight wireless.

• ‑Data center-to-branch: comprised of technologies such as Ethernet and MPLS.

• ‑Branch-to-branch: comprised of technologies such as MPLS, T1/E1 and fractional services, as well as emerging technologies such as digital subscriber line (DSL) and cable.

Each of these three networks has distinct requirements. For example, DC-to-DC networks require high and scalable bandwidth to support storage, replication, and perhaps virtualization and grid computing, while branch-related networks require application performance management and QoS to make the most of limited bandwidth.

Consolidation: More Eggs in Fewer Baskets

Most large IT shops are in the process of data center consolidation. Almost all of the IT executives that participated in Nemertes Research’s “New Data Centers” benchmark were in the process of consolidating data centers. Consolidation of data centers places greater importance on availability and the resiliency of existing and planned data center locations. Business demand for higher availability is particularly high in the financial services sector, and half of all New Data Center participants list availability as one of their top challenges. Correspondingly, almost half of the participants are setting up secondary data centers for continuity and disaster recovery, either by repurposing an existing data center, or by building new facilities into which they consolidate existing data centers.

The use of secondary data centers is not new to Wall Street. Unfortunately, the tragic events of 09/11 highlighted the fact that having a backup data center across the Hudson was not good enough. Similarly, since Hurricane Katrina, disaster recovery consultants and managers – across the country - have re-evaluated traditional assumptions about the potential geographic footprint of a disaster. As a result, secondary and tertiary data centers are often built more than 200 miles from the primary data center, leading to complex storage replication challenges. Latency, storage architecture, protocol and I/O characteristics all must be properly managed to maintain performance across distributed data centers.

The bottom line is that consolidating to one data center increases the demand on WAN availability and resiliency. Consolidating into multiple, geographically distant, data centers, combined with business continuity requirements increases the demand on the WAN, dramatically.

Solutions and Services

The changes in data center architecture are driving the emergence of “flatter” two-tier network architectures. In this new architecture, data center connectivity typically comes in two flavors: interconnections between data centers, and connections between the data centers and the rest of the organization.

As noted, although in some cases the common protocol is MPLS, more typically financial services organizations rely on higher-speed interconnects between data centers, such as dense wave-division multiplexing (DWDM) over dedicated fiber, with MPLS used between data centers and the rest of the company.

Enterprise IT executives who participated in the Nemertes Research benchmark “Building the Successful Virtual Workplace” reported an increasing trend toward MPLS for WAN services to support real-time applications, with 56% of enterprises now deploying MPLS (up from 42% a year ago). Drivers for MPLS typically include support for peer-to-peer traffic flows associated with voice and video, and the ability to prioritize real-time applications across the WAN.

How “fat” are the pipes into each data center? The mean bandwidth into the typical data center is approximately 90 Mbit/s, or roughly two T-3s (each T-3 is 45 Mbit/s). However, data rates vary widely by industry, with education leading the pack at 145 Mbit/s, followed closely by financial services with 96 Mbit/s.

In addition to MPLS and DWDM, Carrier Ethernet services show great promise as inter-data-center WAN solutions. Carrier Ethernet provides high bandwidth (typically 1 Gbp/s – 10 Gbp/s, with some providers offering interface speeds up to 20 Gbp/s) at relatively low latency. Traditionally, Carrier Ethernet has been considered more a metropolitan area network (MAN) technology than a WAN technology. However, the delineation between MAN and WAN is becoming blurred. There are now Carrier Ethernet providers that can provide 20 Gbp/s Ethernet coast-to-coast. And, as these services mature, convergence is occurring. Service providers are now extending Ethernet across the WAN, over MPLS. This technology is called Virtual Private LAN Services (VPLS). VPLS addresses some of the specific challenges with extending Ethernet across the WAN, most notably scalability and availability. Adoption of Carrier Ethernet services as a WAN and inter-data-center service is rapid. Nearly half of the companies that Nemertes works with say that they are, or plan to deploy some form of Carrier Ethernet service in the next 18 months.

Conclusions and Recommendations

Instead of the graduated, multi-tiered WAN architectures of yesteryears, WANs today are increasingly flat, with one type of interconnect (increasingly, MPLS) linking data centers to branch offices, and another type (increasingly, DWDM/fiber/Carrier Ethernet) linking data centers to each other. Moreover, consolidation increases the demand on data center network availability, driving the need for effective multi-homing (both for Internet and WAN connections).

How should the changing data center architecture be considered when looking at next generation WAN solutions? Some pointers:

• ‑Architect redundant WANS. Seek both physical and logical multi-homing, both for internal and Internet connections.

• ‑Assess the performance characteristics of your next generation WAN options. Develop an application-delivery performance management framework, to ensure predictable, consistent, and solid performance of the network and applications.

• ‑Deploy MPLS. Particularly if your organization is large (over $1B) or has global operations, if you haven’t rolled out an MPLS WAN, now is the time to do so. In another year, you’ll be behind the curve. Same is true for Carrier Ethernet.

• ‑Seek dark fiber. Although the fiber glut of the past few years has diminished, fiber is still available from a plethora of sources. Many high-end organizations are adopting a two-tiered architecture, with DWDM/dark fiber linking data centers to each other, and MPLS linking data centers to branch offices.

Ted Ritter is a research analyst with Nemertes Research (www.nemertes.com). Founded in 2002, Nemertes Research specializes in analyzing the business value of emerging technologies for IT executives, vendors, and venture capitalists. Recent and upcoming research topics include security and information protection, mobility and collaboration technologies, and outsourcing. For more information, please call 888-241-2685 or email research@nemertes.com.

We cannot ignore the fact that reasonable and prudent security planning must be viewed as a foundational building block of your VoIP deployment strategy. The trick is to determine what “reasonable and prudent” means to your enterprise, what the cost-benefit analysis reveals and where additional layering of security strategies yields diminishing returns.

Naturally, steps need to be taken to ensure that your telephone conversations are confidential and that your voice system is not opening your data network to new vulnerabilities. But every security measure and countermeasure should be subject to the same risk-benefit analysis that you would make for any other strategic technology.

For example, ordinary voice conversations have always been subject to eavesdropping by anyone with physical access to the wire and with a little technical knowledge. Eavesdropping on unsecured VoIP calls takes a little more sophistication. But this is not a new threat – only the modification of an existing threat. Payload encryption is easily reconcilable from a cost-benefit standpoint - as such this discussion is really less about whether to encrypt and more about identifying the internal and external threats and your plans for accepting or mitigating each of those risks.

Discussion points for your analysis may include:

• ‑How to ensure you are protected from internal and external eavesdropping

• ‑How you continuously guard against ever-evolving hacking that might open your network to other threats

• ‑The interplay between your VoIP solution and your broader business continuity planning

1. Establish Enterprise-wide Security Policies

• ‑Start with a top-down analysis, and determine whether the security policies meet the business needs of the organization.

• ‑Decide whether to encrypt voice payloads and what level of encryption to deploy across all devices. Ensure that the necessity for end-to-end encryption outweighs the additional complexity and administration costs.

2. Determine Perimeter Protection Strategy

• ‑Firewalls that are simple and necessary for data traffic may not be the best solution for voice due to complexity and vulnerabilities.

• ‑Session Border Controllers (SBC), which direct voice traffic around the firewall, are less vulnerable due to their hardened nature and they offload the traffic from the firewall.

• ‑Virtual Private Networks (VPNs) or encrypted “tunnels”, technology you may already have deployed, minimize the changes to your existing environment.

3. Choose Inherently Secure Technologies

• ‑Consider geographical separation of your core servers into two or more data centers.

• ‑Solutions built on Unix Linux operating systems are less likely to be the target of hackers than those built on Windows.

While many prefer to use an outside consultant to help navigate these discussions, a trusted relationship with your key vendors will prove to be equally fruitful.

Robert J. Doroshewitz, esq is Director, Professional Services, SIP Platforms and Network Integration at Siemens Communications (www.siemens.com/open). He can be reached at bob.doroshewitz@siemens.com.

VoIP requires the IT infrastructure to support stringent requirements for latency (total time a packet is in transit), jitter (variation in the time between packets arriving), and packet loss (failure of voice packets to reach their destinations). These requirements result in implementations that are vulnerable to various forms of security attacks.

The chart shows common VoIP security threats and their impact to companies and individuals:

Traditional security products, designed and built to protect data networks, are not equipped to identify and mitigate the security vulnerabilities inadvertently built into VoIP products and networks by their vendors. Intrusion Prevention Systems (IPS), for example, examine data traffic and check for the existence of known attack signatures. Examining voice traffic for these same signatures is useless; voice exploits have their own unique signatures. Unless the IPS knows about and checks for these unique VoIP signatures, the voice network is vulnerable to attack.

Fortunately, new security solutions are emerging that are purpose-built to address these specific VoIP vulnerabilities. In 2008 we will see the introduction of a new category of security products, which include applications such as VVA – VoIP Vulnerability Assessment; VIPS – Voice Intrusion Prevention System; VNAC – VoIP Network Access Control; and Anti-SPIT products.

Get ready now

Besides the increased attention that hackers, cyber criminals and corporate spies are paying to VoIP networks, regulators are recognizing the role that VoIP plays in the transmission, processing and storage of confidential information. Expect legislation such as Sarbanes-Oxley, GLBA, HIPAA and others to include provisions for securing VoIP networks.

Steps you can take

to minimize VoIP security risk and prepare for the coming compliance requirements:

1 Look at your VoIP system through new eyes. Review your architecture with security in mind.

2 Perform a VoIP-specific vulnerability assessment and penetration test. Remediate reported vulnerabilities: policy and process, administrative, configuration and vendor-specific. Do this regularly.

3 Examine your organization’s regulatory requirements for VoIP. Incorporate VoIP security into audits and compliance reporting.

4 Conduct employee education for VoIP threat awareness. Add VoIP expertise to your security team.

5 Begin cross-functional meetings between network, telecom, security and audit departments to jointly plan your VoIP security protection and mitigation strategies.

Rick Dalmazzi is President & CEO of VoIPshield Systems (www.voipshield.com). He can be reached at rdalmazzi@voipshield.com or 613-224-4443 x201.

Enterprise Change Management (ECM) is a business process that manages and provides an audit trail of the revisions and status of all the digital assets. The digital assets managed by ECM are termed Configuration Items or CIs. The purpose of ECM is to identify, control, document and verify each CI in the infrastructure. The repository where the data associated with the ECM process resides is the Configuration Management Database (CMDB). In the Information Technology Infrastructure Library (ITIL) framework, change management is responsible for controlling change to all configuration items in the configuration management database, or "CIs" in the CMDB.

Phases of ECM Activation

The first phase of ECM activation is to identify what technologies enable the business services being provided. The description of the CIs – and especially of their relationships to one another – facilitates an understanding of the technological components of each service. In other words, this step maps business services to underlying technologies. The information provides the building blocks of a CMDB design and the technological pieces of a business continuity plan. It feeds business continuity planning by providing information critical to availability planning.

Alignment ensures that underlying technologies are managed to consistency with Service Level Agreements (SLA). It determines the procedural requirements that must be in place in order for the above-identified components to meet business needs. For example, imagine an application, a Web server, which is part of a larger service that is expected to be available 24x7. The Web server depends on a Lightweight Directory Access Protocol (LDAP) server to perform user authentications. Let’s further imagine that the LDAP server and the Web server are managed by different departments. Both departments have to be subject to the same SLA and must be able to work together to recover from a service disruption. A simple CMDB will provide at least enough information to enable the coordination of the different departments needed to respond to an interruption.

Institutionalization of ECM is the propagation of standard techniques and best practices across the enterprise. The goal is to utilize common tools, management strategies, measurements of performance and channels of communication. These benefits are especially relevant to complex business services that are composed of multiple applications running on multiple platforms. With ECM, no aspect of critical infrastructure is changed before evaluating the risks associated with that change.

The final stage, optimization, facilitates process refinement and automation. An optimized ECM process should enable the IT organization to cost-effectively respond to changing business needs. This derives from the fact that ECM – while an IT process – is not an IT-driven model. Indeed, it is a business-driven model. The identification of necessary business processes must ensure that business needs are met in the form of email to clients, transactions from customers and communication to employees. It is only through defining the business-facing requirements to the IT organization that any Disaster Recovery/Business Continuity plan may be put into place.

Configuration Management, Inc. (www.cmi.com) is a leading provider of Enterprise Change Management and Software Configuration Management® services. For more information please contact us at: 800-550-5058 or 732-450-1100.