Profile of Mike FrattoFormer Network Computing Editor
News & Commentary Posts: 96
Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics and executive editor for Secure Enterprise. He has spoken at several conferences including Interop, MISTI, the Internet Security Conference, as well as to local groups. He served as the chair for Interop's datacenter and storage tracks. He also teaches a network security graduate course at Syracuse University. Prior to Network Computing, Mike was an independent consultant.
Articles by Mike Fratto
Expertise, automation, silo busting--what early adopters say private clouds really require.
Process automation has many benefits, but getting there can be tricky. Start with small, targeted projects.
Three months of planning the Interop network. Two weeks staging the equipment and preparing the network. Dozens of people from as many vendors all focused on putting together a network that will go live for six days. Glenn Evans, Interop network project lead and benevolent dictator, works with the vendors and volunteers to design, build, troubleshoot, and manage the InteropNet.
The hot stage is when all of the planning comes together. The InteropNet team documents every detail, down to
Cisco has announced new products for its Data Center 3.0 program. The new products and features continue to enhance Cisco UCS platform with new servers and an improved interconnect technology, FEX Link, that offers increased capacity and redundancy.
The company is expanding Medianet to support the discovery of endpoint devices whether they are VoIP phones, cameras, or displays.
You read that right. Network Computing, the only IT magazine For IT, By IT is back with the first digital issue (registration required) on WAN optimization and application delivery in a virtualized data center.
The IEEE-ISTO (International Standards and Technology Organization) held its first conference on product certification and conformance at their IEEE headquarters in New Jersey. The goal of the IEEE Conformity Assessment Program (ICAP) is to provide support to other IEEE standards groups, test labs, and industry groups in developing conformance tes
If networking is cool at Interop, then testing, the red-headed stepchild of networking, is going to make itself known. Factors like data center consolidation and virtualization are changing the demands made of the network for more resilient, low latency and high speed capacity.
What is special about a virtual computer-a VM? It's a computer in a file. That's it. It's just a computer stored in a file with similar foibles and management issues as a physical computer. So why do some people invest virtual computers some magical transformative powers? Do they not understand what a virtual computer is?
HP ProCurve announced a new module for their ProCurve 8212 and 5400 modular switches. The Threat Management Module offers firewall, VPN, and IPS functions simultaneously on the switch backplane which is unlike Cisco's approach with the Catalyst 6500 requiring separate security modules firewall, VPN, and IPS. The cost, however, is lower performance per module. ProCurve needs to increase module performance to make it a replacement for appliances.
IBM and Brocade jointly announced that Big Blue will be selling Brocade network switches branded as IBM Ethernet switches. The agreement extends the existing IBM/Brocade OEM deal for SAN equipment. A lot of people will see this as a reaction to Cisco's UCS launch, but according to IBM, nothing is further from the truth. I think it pits IBM against HP.
An intriguing idea, isn't it? Outlandish, you say? Maybe, maybe not. The fight for the data center is on. Brocade acquired Foundry solidifying the storage giant in the data center. HP ProCurve's One program forms a solid partnership to round out data center components. Oracle's acqu
Verizon Business' most recent 2009 Data Breach Investigations Report is a must-read report if you're involved in IT. The authors are quick to point out that the report is not a "state of security" report, but an analysis of breaches from Verizon Business' Risk Team and therefore based on in-the-field findings. The report winds up with recommendations. How many is your company following?
I am one of those people who believes in universal access. I think it is desirable for those of us living in urban/suburban areas to subsidize telecommunications to rural areas. Subsidies help build out and maintain our telephone network resulting in a net benefit. So subsidizing broadband roll-outs with government funds a good as well. Too bad Time Warner and others are trying to strong arm the FCC into supporting a tacit monopoly with public funds.
If it's spring, it must be InformationWeek's Annual Security Survey, where we gather and analyze changes in security practices. Please join the 40,000 security professionals, IT staff, and managers who have participated in this landmark survey in recent years.
The last two weeks have brought us two different attack vectors affecting servers and PC's alike. First Invisible Things Lab's Joanna Rutkowska and Rafal Wojtczuk presented the details of an attack on Intel's System Management Module which lets the malware do whatever it wants and effectively hides from everything else. Meanwhile, An
Network connections have been getting faster over time and, correspondingly, applications have been keeping pace by getting fatter. Add in the changes in how applications are delivered as Web applications, hosted applications, and virtual desktops, application performance is becoming increasingly important. We want to get your thoughts on application delivery. Please take a few moments to fill out our InformationWeek
In "DNSSEC: Forgetting The User, Again," I opined about why users should be notified about signed vs. unsigned DNS responses. Dan Kaminsky, a security researcher with IOActive, and I got into a quick conversation about DNSSEC, SSL, and trust on the Internet. Kaminsky had some interesting thoughts on distributing trust.
Web application security is of particular importance because so much of our digital life is spent interacting with Web applications. Lori MacVittie, technical marketing manager with F5 and former Network Computing senior technology editor, has spent years kicking the question of where application security belongs -- in the network or the application -- back and forth. But I want to draw a line in the sand: Don't depend on Web application firewalls to fix your software problems.
What has been happening to your data center port density over the years? If you've been adding server hardware, then chances are port density has been increasing in one's and two's. But if you've been adding virtualization, the port density may be rising in four's or eight's as you try to balance network I/O over multiple NIC's. Get ready to virtualize your management.
A lot of very smart people are working very hard to make the Internet trustworthy. The Internet Assigned Numbers Authority (IANA) has launched a beta Interim Trust Anchor Repository so top-level domain owners can publish DNSSEC material while ICANN works out signing of the root zones. The ITAR is one more step in the road to DNSSEC. But DNSSEC is a technical solution and, like other technical solutions, ultimately misses
Moxie Marlinspike's presentation New Tricks for Defeating SSL in Practice should be an eye-opening presentation on the fragility of the trust we place secure Web sites. Marlinspike uses some fairly mundane technical tricks coupled with astute observations about human behavior to pull off a difficult task -- seamlessly subverting the indicators of HTTPS Web sites prese
It's no secret that the business office uses financial models to approve and disapprove purchases. Getting proposals approved on business merit is often misunderstood by many IT and security practitioners who see the need for a technology, but can't convince business folks. Return on investment, ROI, often is used to justify, in part, an IT purchase which results in the percentage return. Risk reduction is the primary goal.
OS installs have gotten easier over the years, whether it's a Linux distribution, Mac OS X, or Windows. Fewer choices to make and fewer technical decisions that need to be pondered. But today, I found the easiest of them all, Slax 6 Build a Distribution and I think it serves as a model for how software should be distributed, a la carte, and as a model for smart system recovery.
Cox Communications recently announced a new bandwidth management program, while Google and partners are releasing a tool to detect throttling. The traffic battles are heating up, but the deck is stacked against users since we use the pipes, not manage them. Even so, Cox's plan seems responsible and, if done right, can balance competing network demands.
The company's outreach to other green-power companies focuses on integrating power management with network devices to monitor and control power usage.
Drew Conry-Murray takes apart PCI in his recent blog PCI Is Meaningless, But We Still Need It. I agree with most of his points, but they mostly apply to companies that view compliance as a set of checkboxes that have to be filled in annually. Filling checkboxes is doomed to failure. Focus on the spirit of the requirements and your company's security posture will be the better for it.
Nortel has initiated a restructuring process in an attempt to turn the company around. Despite the doom and gloom about the announcement, Nortel is far from a fire sale. Restructuring may be a good step to get control of the company. With $2.4 billion in cash, Nortel is in a far different position than U.S. automakers. Nortel has been struggling for the last few years to turn its business around.
A group of security experts comprised of vendors, government experts, educators, and individuals published Mitre's Common Weakness Enumeration, a scheme that identifies common programming problems and offers guidance to avoid the problem in the first place. The group hopes the CWE list will be used by colleges to teach secure programming, vendors to avoid the mistakes, and customers to demand these problems are not in shipping code.
The trust in digital certificates relies on the fact that the authority issuing the certificate has validated the identity of the person or company making the request and that the digital certificate can't be forged. New research presented at the 25th Chaos Computer Congress shows that forging digital certificates is possible and practical. Trust in the SSL i
NMAP, the open source network mapping tool, should be in any network or security administrator's toolbox. It's a feature-rich network scanner that goes far beyond port scanning such as service and OS detection, stealth and evasion modes, and sports an internal scripting engine. NMAP Network Scanning, a reference guide written by Gordon Lyon, a.k.a. Fyodor, is a must-have book to get the most out of NMAP.
Good security programs start with asking the right questions. All too often, security and network engineers sweat the details of some security technology or other and don't examine the most likely sources of attack. I recently overhead the question "How long should I set an IPSec VPN rekey time interval?" Answer the question by asking how worried you are about an attacker breaking into your VPN and how that might be accomplished.
In an unusual move, Microsoft has issued a patch for all versions of Internet Explorer from v5.5 onward and for all versions of the Windows operating system. Time to roll out that out-of-band patch before your users get infected. Reports of users being exploited are rising.
We all know that spammers will do whatever it takes to find a way to send their advertisements and scams to potential victims. Spammers are circumventing methods services like Gmail, HotMail, and Yahoo use to stop automated spam to the point that even legitimate users of these services are unwitting victims of anti-spam.
The company said its APM appliance gives administrators 10,000-foot to microscopic views of network applications on the same appliance.
Every once in a while, I come across some really bad conclusions based on some really bad research. The A First-Ever Research Study: Estimating Google's U.S. Consumer Internet Usage & Cost -- 2007-2010, from netCompetition.org, is one such document. Promising to be "straightforward, open, transparent, and replicable as possible" in its m
Alcatel-Lucent recently announced a sweeping set of enhancements across many of its switch and unified communications product lines. ALU, better known in the service provider arena, wants to send the message that it can compete with the likes of Cisco, Hewlett-Packard, and 3Com as a total solution provider for voice and data services rather than a point product vendor. Is a single source necessary or the best option?
This morning's Trusted Computing Group summit focused on the Trusted Platform Module (TPM), NAC, and the TNC. The event was well-attended and covered a range of topics from what the TPM is and what it is used for to the TNC's role in NAC and NAC standards. One overwhelming message came out: Users want standards. Vendors are not listening.
Green Hills Software Integrity 178B operating system is the first, and only, certified Common Criteria Evaluation Assurance Level (EAL) 6+ operating system on the market. Green Hills Software uses Integrity as the basis for a secure PC operating system called Integrity PC and includes Padded Cell Virtualization, a secure hypervisor running within Integrity PC. Integrity Global Security LLC has been formed as a subsidiary of Green Hills Software to market Integrity PC. Integrity PC is provably se
There are three legs of a table that, if weakened, put your organization at risk and, if a leg is removed, let the table fall to the ground. IT governance, risk, and compliance (GRC) is fundamentally a return to the basics of information security. Regardless of technology, you need to know what to protect, when it needs protecting, and why it needs protecting. Getting ahead of the game is more effective than catching up later.
Brian Snow's keynote at CSI 2008 started with an amusing graphic of a guy pouring gas over his head while lighting a cigar. The message was we always take risks, even when we aren't aware of them. Snow learned a thing or two about risk while working at the NSA for 20 years, ending as technical director for information assurance. Information risks, he points out are, moving targets and information security programs need to be adaptable and w
This year's CSI 2008 event promises to be every bit as interesting as ever. CSI tracks are broad, the topics deep, and the speakers top-notch. Once again I find myself wanting to see all of it (9 tracks!) but only one of me.
Gunter Ollmann, director of security strategy with IBM Internet Security Systems, wrote a short paper on designing applications to be resistant to infected hosts. Ollmann offers some solid, high-level design advice that Web developers should read and consider adopting. But the paper also highlights the difficulty and complexity in securing the Web-based ecosystem.
NIST is wrapping up accepting submissions for a new cryptographic one-way hash algorithm today. NIST's competition follows a tradition of peer review, public discussion, and acceptance of algorithms that brought us DES, SHA, and AES. The selection process won't be complete until 2012, but final selection should addresses weaknesses in the hash algorithms used today.
Cisco follows up on its survey on data leakage, which I already wrote about, and an analysis of policy effectiveness. There isn't too much surprising in the findings, but the results continue to highlight the need for sound security policy management processes in organizations and,
ICANN, the organization that manages the technical aspect of the DNS, among other things, has opened up a 45-day public comment period on the process for requesting a new generic Top Level Domain (gTLD) such as .com, .net, and .gov. The comment period is the next step along the path of adding more gTLD's to DNS. If you are involved with DNS, or work for a global or national brand, you want to pay attention to t
The Metro Ethernet Forum (MEF) really is a good model for standardization bodies. The MEF brings service providers and equipment makers together to create standards for all facets of Carrier Ethernet as well as providing conformance testing and certification. Kevin Vachon, COO of the MEF, provided some interesting insights into the direction of the MEF and, therefore, the direction of Carrier Ethernet.
Ethernet Expo is the place to be to get current on the technology and service offerings. While the main show is aimed more toward service providers, enterprise attendees to the show can gain some valuable insights on upcoming standards work, deployments, and last mile connectivity.
LightReading and InformationWeek are putting on Enterprise Day at the end of Ethernet Expo on Oct. 22 at the Hilton in New York. Registration for the event is open. Spending the day will get you up to speed on the happenings in Car
John Timmons at Ars Techinca wrote about the interorganizational wrangling beginning as .gov studies DNS fix. At issue: Who should implement and manage the root signing process rasises the question about who should hold the root keys to such a critical service. But my question is, why does the root zone need to be signed at all?
The pendulum swing between responsibly disclosing a vulnerability privately to affected vendors so they can create a fix versus telling the world so IT can be aware of potential problems is swinging back into the vendors' favor. The result is that without public awareness, vendors aren't motivated to institute fixes on a timely basis.
Cisco commissioned a global survey of IT administrators and computer users about their perceptions on data leakage. Not surprisingly, the study found employees use their work computers for personal use and IT knows it.
Ben Tomhave posted a lengthy set of observations from the IEEE Key Management Summit 2008. He did walk away confident that key management standards will be forthcoming. That's too bad. One of the best ways to protect data at rest is to encrypt it. However, enterprise encryption requires enterprise key management, not a bunch
There are a lot of reasons why NAC adoption is slower than expected -- it's expensive, it's complicated, there isn't always a clear benefit, competing IT projects are taking priority, and there's still a lot of confusion about NAC technologies. Until IT grasps these issues, they won't move forward.
Announced at Interop, Endace Analytics Center 2000 provides network analysis for Endace's NinjaProbe, while Solera Networks announced an OEM program providing data-capture services to others. In both cases, the ability to play back captured network traffic eases troubleshooting and resolution.
Halfway through NAC Day at Interop, I moderated a panel populated by representatives from the sponsors. What became clear during and after the panel is that attendees are very concerned about standardizing NAC. Who wants to buy a proprietary product that won't play well with others?
Earlier this summer I was tapped for NAC Day 2008. It's a day-long event on the topic of Network Access/Admission Control at Interop NY held at the Javits Center. I'll agree to almost anything if I can get a trip to Manhattan out of the deal. I hope to cover nearly every aspect of NAC in 5 hours and 45 minutes.
Researchers at Carnegie Mellon University have proposed a system whereby you can ensure that when you attach to a server that uses SSH or a self-signed digital certificate and you haven't verified the authenticity of the host identity beforehand, you aren't subject to a man in the middle attack.
An unknown certificate is a failure in SSL/TLS, and that's how it should be. Ever since Firefox 3 came out, the way it presents SSL-enabled Web sites with self-signed certificates has been called scary and hurtful. Untrusted self-signed certificates should be scary because untrusted self-signed certificates are a failure in SSL/TLS, and a failure in your authen
Why is Cisco equipment counterfeited? Because, according to an FBI presentation, Cisco has market share.
There seems to be a lot of confusion about the relationship between DNS and SSL. Even a slip of the virtual pen, a mistake I recently made, only adds to the problem. The recent DNS forgery issue that Kaminsky talked about in his Black Hat session doesn't break SSL in any way.
Up until Matasano mistakenly let the cat out of the bag about the DNS forgery attack that Dan Kaminsky found, lots of experts were downplaying the problem as old and known. Once the details were released, those same folks agreed, that yes, the problem Kaminsky found was that bad. Since Kaminsky gave his presentation about the DNS vulnerab
VeriSign has been very active in beating the Extended Validation certificate drum. I just have a real problem with EV certificates being sold as "better" than regular EV certificates. EV certificates don't change the security features of the resulting SSL connection. The green or red address bar doesn't tell us whether a Web site is trustworthy or not. But the green bar adds greenback to you
One thing is true about the security research community, it is populated by people that don't like to be told what to do or how to act. Halvar Flake thought the way the DNS disclosure was handled was OK, but didn't think the discussion blackout would be useful. So setting off as a DNS novice, he spent a few hours figuring out the problem. He got pretty close, too. So then Matasano Security
I will be giving an hour-long Webcast Wednesday, July 23, 2008, at 11 a.m. PT / 2 p.m. ET, on InformationWeek's 2008 NAC Survey. We asked information professionals about their plans for NAC; why they were embarking on a NAC project; what they expected to achieve; and what their concerns were. We compared these results to past surveys t
Since the CERT announcement yesterday about the new vulnerabilities in DNS, there has been a lot of speculation that what Dan Kaminsky found is old news. Thoman Ptacek from Matasano, in an interview with Nathan McFeters at ZDNet, pretty much dismisses the vulnerability as old news and therefor unimportant. That sentiment is echoed on mailing lists and message
CERT has issued an advisory, short on details about the exact nature of the problem, about a fundamental flaw in the DNS protocol which allows an attacker to poison a DNS cache. Working with the person who found the flaw, Dan Kaminsky, CERT notified vendors of the problem and is coordinating a publication of the patch. If you run a DNS server, check with your vendor to see if a patch is available.
ICANN, the Internet Corporation for Assigned Names and Numbers, which manages the generic Top Level Domain (gTLD), recommended opening the gTLDs to organizations that can afford the registration process and can prove they have the wherewithal to manage a gTLD. Many are predicting Wild West expansion of names and the death of the .com. I predict it will be risky business for domain name owners.
Many of us computer users suffer in silence. Yes, there are the outspoken people we see complaining on message boards, but in general, we put up with the quirks of applications because the alternatives are not worthwhile. And sometimes, we have to go along to get along, which means forced updates to the latest version of software for no other reason than you have to be able to share files easily. Computers should change to fit our needs, not the other way around.
The research summary headline, Reports of NAC's death have been greatly exaggerated; market up 16% in 1Q '08 really says it all. But let's not get too excited. The increase of 16% in 1Q over the previous quarter means approximately $10 million more in sales. The market is still relatively small, so any movement will be magnified. What's more interesting is the market breakdown.
As part of our on-going coverage on network access control, InformationWeek's NAC Immersion Center was recently updated with new content from recent Las Vegas Interop keynotes and presentations.
The lack of a certification program makes it tricky to get NAC right.
The Personal Data Privacy and Security Act would require enterprises with more than 10,000 customers to implement a security and auditing plan and to notify their patrons when there is a suspected breach.
Switching browsers might protect you against software security problems for now, says Mike Fratto, but in the long run it's a strategy that's destined to fail.
We put five UTM firewalls through extensive tests to see if they could detect blended threats and maintain high performance. Although we were mostly underwhelmed with the results, our Tester's Choice stood out from the rest, having caught all our 'attacks' the first time around.