Embed Size (px)
Citation preview
Separating Corporate Network Traffic From Production Traffic
Andrew S. BakerVice President, IT Operations
http://www.callargi.com
Agenda
Background on your organization
The challenge you were facing
The process of deciding on a technology/vendor
Implementation: timeline, training, hurdles, costs, challenges
Results/benefits
Advice to others
ARGI
Established in 1971
Located in Montvale, New Jersey (Headquarters) and Naples, Florida
Serving Publishers and Marketers Across Select Verticals
Industry Leader Specializing in Hosted Audience Management Solutions
Approximately 60 employees
Family Owned for Over 30 Years, Now Private Equity Owned
Our Investors:
Shore Points Capital
TSG Equity LLC
Fifth Street Capital
ARGI – What We Do
We help organizations leverage the intersection of their content and audience across media, and help them to become media agnostic and thrive in an increasingly digital world
We deliver an audience management platform that allows organizations to interact-with, profile, analyze, and grow their audience, driving revenue across multiple channels: Subscription and merchandise sales Advertising Lead generation
SaaS solutions that involves housing sensitive client customer data
The Challenge
The network needed to be segmented because Corporate and Production traffic was intermingled, which complicated requests by our auditors because it put the whole network into scope for any client-related access requests
The business drivers for this change included a need for operational efficiency, and improved security and compliance
The expected benefits included the following:
Improved security and simplification of access rules
Better accountability of asset usage
Simplification of access control and auditing
Minimizing the scope of attacks, downtime
Choosing the solutions: The Vendor
Choosing the technology solution was actually very easy for us in this case, because we were not starting from scratch, we did not have too many vendors in play already, and we were very comfortable with the vendors involved.
We are almost exclusively a Cisco shop at the networking level, and we were at a point where we needed to upgrade our hardware.
Cost is always a factor in a small business environment, but it was also important that we disrupt the business as little as possible, in deploying the new hardware and changing the configuration.
We never seriously considered changing the vendor, but spent a great deal of time with the vendor getting comfortable with the proposed configuration that would address our needs.
Choosing the solutions: Budget Approval
Getting the budget is almost always a challenge. No surprise there.
The networking infrastructure upgrades represented about 25% of the total infrastructure budget that we put together for the re-engineering project.
A major component for getting this budget approved was a risk analysis. Rather than a set of standard return on investment calculations, because this re-engineering effort was initiated from a review of the overall infrastructure, we approached the problem from the perspective of ongoing risk that needed to be mitigated, and showed how our proposed solutions would address each of those risks.
The overall approval process took approximately 2 months
The Approval Approach: Risk Mitigation
Highlight current accomplishments
Identify ongoing risks to the business at a high level
Provide details on the likely impact of these risks
Identify the solutions and projects that are necessary to mitigate these risks
Provide some additional benefits that will be derived from the re-engineering effort
Summarize why these risks, which may have been in place for some time already, need to be addressed at this point.
Address the problems in small chunks with clear milestones.
Implementation – Part 1
We began our project in April of 2008 4/2008: Upgrade our Telecom system to support VoIP for remote office
5/2008: Bring our remote office online
6/2008: Upgrade the core switches and consolidate all servers onto to core
7/2008: Move all corporate systems to their own set of switches
8/2008: Create a isolated network for data backups to disk/tape
8/2008: Upgrade the firewalls to the Internet and place a firewall between Corporate and Production network
9/2008: Simplify access control lists, and remove obsolete rules
11/2008: Deploy new access gateways for remote connectivity
Email Upgrade, and IPS deployment are still pending
Implementation – Part 2
We performed these upgrades with our existing staff (1 Network Engineer & 2 Systems Engineers), but we did make a fair amount of use of Cisco support in planning stages
I am very happy to report that we met our budget for this project. As for time, we took longer than anticipated in large part because we did not use external consulting services. We had planned to make all the changes within 4 months, but took double that time.
The vendor played very little role in the delays. What was more significant were all the ways in which systems were intertwined across Corporate & Production, and the extra work that it took to separate them. And, this was done with existing staff only, so we had to account for day-to-day work, plus other projects from the rest of IT or the business.
Implementation – Lessons Learned
Try to ensure that the people on your key projects are not also handling day-to-day activities at the same time.
If possible, deploy a lab to test out some proofs of concept. We had to adjust our implementation a little bit as we went, because certain approaches didn’t work out in practice because of existing constraints.
Add more planning time upfront. The more assumptions you can validate before you get into the project, the less changes you will need to make on the fly. And changes have a ripple effect.
The technology is the easy part. The policy changes are where you will likely experience the most pain. Try to socialize the changes that will impact others who use the systems involved.
Results
Based on what has been completed so far, we have been able to mitigate about 85% of the risks we initially identified, plus some others that we discovered during implementation.
One of the side benefits of this project is that we were able to extend VoIP to a remote office at a flat cost, and we were able to address a few performance problems with a legacy application.
On a whole, once they got used to the restricted access to our critical systems, the corporate users have been fine. In one instance, risk from an infected laptop was mitigated, becausse it did not have broad access to critical systems as in the past.
We have just two more major phases: Separation of all corporate email from Production Email, and the deployment of an IPS.
The Good, Bad & Ugly
The Good I’m especially happy that we chose to implement the re-engineering
as a series of smaller projects, whose benefit was easier to quantify.
The planning time we spent with Cisco upfront was extremely valuable. I will do this again every single time.
The Not So Good In the future, I will endeavor to pursue server and networking
overhauls of this scope separately. Changes in the one area almost always have an impact on the other area, and can complicate the deployment.
Advice
My advice to another organization with a similar challenge is:
Don’t have too many moving parts at one time. If you’re changing the network, don’t also change all the servers until you have finished the network.
Add about two weeks of planning time for each month of anticipated project time, and be sure to get the vendor involved to review your plans.
Don’t just put it on the vendor to create the plan. Provide at least a basic project plan that outlines what you want to accomplish, and then work with the vendor to flesh it out.
The better your inventory of devices and applications, the better your plan will accommodate your business.
While you cannot anticipate every challenge, you need to be prepared to deal with surprises. This is best handled with adequate staff, and good planning.
Thank You
Andrew S. BakerVice President, IT Operations
http://www.callargi.com
