Network Security Illustrated buy the book at Amazon now!


search site
Table of Contents

Book
Introduction

Managing
Security

Outsourcing
Options

Reserving
Rights

Determining
Identity

Preserving
Privacy

Connecting
Networks

Hardening
Networks

Storing
Information

Hiding
Information

Accessing
Information

Ensuring
Availability

Detecting
Intrusions

Page Tools
print this pagePrint this Page
email this pageEmail this Page
notify me when this section changesWatch for Updates
send us feedbackSend us Feedback
Rollout
Systems
Chapter List
RAID
Clustering
Backup Systems
Distributed Computing (web bonus)
Rollout Systems (web bonus)
More Information
Resources (links)
Discussions
FAQs
Errata
Sample Pages
Buy The Book
at amazon.com
Rollout Systems are tools that enable updates or installations to occur over networks, to many nodes at the same time.

Technology Overview

Every network, whether large or small, needs to be maintained. Even a two-computer client/server network needs it share of patches, upgrades, new drivers, and new applications. On a small network this may involve running around to a few workstations and making the changes during the course of an afternoon. Or maybe in a small company the employees themselves can be counted on to install these changes on their own. Unfortunately, this is just not possible when a network exceeds a certain size.

Rollout systems, as they are sometimes described, are often used in large networked environments to make software distribution more practical. Think about this, how is any large organization supposed to keep all of its nodes up to date with the latest software, patches, drivers, and changes? How is any large organization going to guarantee that its clients are essentially clones of one another? Is it feasible to expect this process to be taken care of manually?

No, it is not feasible, nor is it viable, to run around from workstation to workstation in a large, client/server environment and make changes. There would be many fatal flaws with a manual approach. First, human error would result in workstation problems that would be inconsistent and difficult to troubleshoot. Second, it would take up all of the valuable resources of an MIS department, and third, it is too expensive to handle such updates manually. The manpower involved is better spent assigned to other, more complex IT problems. The only solution is to automate this process, which will result in efficiency and consistency across a large LAN or WAN. [A] How It Works

Imaging by itself is a fairly simple concept to understand, supported by and equally simple technology. Cloning is probably the best word to use to describe what imaging technology does. Any type of data in the world of computer science can be copied, but copying and cloning are not always the same. Copying denotes that another generation of the same data is transferred to another source. Often the copied information contains information indicating that it is a second generation from the original.

Cloning denotes that an exact duplicate or mirror image of a data source is created. If you put the image of the original next to the original it would be impossible to discern between the two. This is the essence of imaging, taking an image or a snapshot of a media source and replacing a similar medium with the image. The image will inevitably behave the same way on any medium to which it is transferred. This concept can be applied by system administrators to manage a network.

Organizations often tinker around with workstation builds (setups) to find the best mix based on their employees’ needs. IT departments may test different combinations of client-server applications on various groups of users. Eventually decisions will be made about who needs to use what on which computer system. There may ultimately be different builds for different user types in one organization. These builds, once specified, can be imaged for central distribution.

Once the builds are imaged, they are stored on a server in a repository. The hard drive images are later distributed across an organization’s network to workstations that contain blank hard drives. When a user logs onto their system, the system uses a client-server shell to accept policy information. Once the user is identified the appropriate image will be offered to the user and upon their acceptance, installed on their local workstation.

The images do not have to be any particular piece of data, such as a whole operating system, and in fact are often much smaller. Typical images may include an application patch, a driver upgrade that has been approved by the MIS department, or a windows operating system service pack. However, in certain circumstances entire applications or even whole operating systems can be distributed as cloned images and installed across a wide area network. [A] Security Considerations

There are many reasons to use application distribution and imaging. It is a great way to maintain a consistent approach towards network policy. It is also the only way to keep up with workstations in a large networked environment.

As we’ve said repeatedly, achieving total security is just about impossible. This is a problem that has plagued the ‘S’ word itself ever since Thog the Rock Smasher tried to protect himself from a stampeding Wooly Mammoth by hiding in a cave. Thog learned about the futility of security when he was eaten by a giant cave beast. It is, however, possible to maximize security by maintaining a consistent approach towards security policies. These security policies are generated from a company’s philosophical stance regarding security. Once security policies are generated, application distribution technologies may help enforce some of the policies.

Application distribution will allow network managers to determine who will be able to do what, at a specific workstation. This gives IT directors and enormous amount of centralized control over policy. For example, different groups of employees may be handed workstations with different application builds. Accountants may have a workstation image that includes only accounting software. Sales people may be given a customer relationship management tool on their build. As long as group and user policy is made to match application distribution policy, the wrong tools will never fall into the wrong hands.

Security is also greatly enhanced by centralizing the source of all software distributions. This prevents rogue users from being able to install any application they want through their workstation. Applications that are more likely to cause a security threat can be eliminated entirely. If they are used, only certain users with the appropriate privileges will be permitted to request distribution. If company only wants its creative directors to be able to download MP3 files, only those users will have peer-to-peer applications installed.

In a recovery situation, application distribution really saves the day. If a workstation becomes infected with a virus or a trojan the whole system can be wiped and reinstalled. Since most application distribution systems store complete images of workstation builds, reinstalling the entire workstation is not a problem. In fact, in organizations with very tight security policy, certain workstations may need to start each new workday with a fresh image build. Imagine coming to work every day and knowing that your workstation has never been used! That brings a new definition to “clean start.”

Making the Connection

Ensuring Availability: Application Distribution acts as a form of system backup. Recovery is achieved almost instantly when network systems become damaged, compromised, or unstable.

Network Management: Application Distribution can often be packaged with Network monitoring systems. Imaging and distribution of workstations is a robust tool that falls into the same scaling category as network monitoring and management.

Best Practices

There are many different options available to a company that is interested in system imaging and application distribution. Deciding which method is right can be the most difficult part of putting this technology to use, especially in multi-platform environments. Of course it goes without saying that most large networks are multiplatform environments.

Enterprise management solution providers often bundle application distribution in with their enormous solution packages. Similarly, popular client/server PC vendors such as Microsoft bundle in tools that demand a consistent environment platform. (Can you guess which platform they demand?) Both of these situations require careful consideration. Microsoft’s Intellimirror is a product that has been bundled into Windows 2000 server. It is designed to make application rollout easy across multiple Windows 2000 workstations and servers. But what happens to your Linux servers and your Macintosh workstations? Well, they will not be taking advantage of Intellimirror, that is for sure.

There are two ways to think about Microsoft’s Intellimirror product. From one perspective the inclusion of a powerful application distribution management system for free is a large gift, because these systems are normally quite expensive. The flip side is they are designed to make every MIS director strongly consider moving to an all Microsoft environment. From that perspective Intellimirror is little more than a clever marketing tool. “Use all Microsoft products and your cross platform management headaches will disappear”, said the free software package.

Application distribution systems may sound fantastic, and certainly do beat running around from workstation to workstation, but they don’t eliminate the need for highly skilled staff. Good Security stems from organizing the needs of the users, choosing the most appropriate software packages, and staying on top of patches and upgrade. This takes a lot of time for even the most experience IT staff. Distributing chosen changes from a central location does not reduce the amount of thinking time involved in setting up a solid client/server infrastructure. The point is, purchasing and using distribution tools will help maximize resources but will not dramatically reduce the need of a talented in house technology staff.

Final Thoughts

Application Distribution takes advantage of an existing client/server environment to create shared, trusting relationships and is a fantastic way to enhance an organizations IT infrastructure. Careful thought about the specific imaging and distribution needs will lead a business to the right vendor for help in this area. Though many network operating systems include tools to aid in the process, often those tools alone are not enough. In addition, those tools may work off the assumption that only one platform is present across the network, which is seldom the case in large institutional environments.

More Information

The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.

Below, you'll find links to online resources that supplement this portion of the book.


Resources

(websites, books, etc.)

Discussions

FAQs

Errata

Sample Pages