The Effective CIO: Getting the Network Information Needed to Do Your Job Well

by Stu Henderson
March 3, 2010

Here we’ll discuss how to get the network information needed to do your job well. This includes first, knowing what your networks consist of and then, how your network staff is configuring and maintaining them. You will likely find several opportunities for improvement by integrating the work of your TCP/IP, SNA, and security software staff.

You need only enough network details to know your technicians have the information they need to manage the networks well. If you aren’t sure of that already, ask them for a one-page map of 1) physical networks, 2) logical networks, 3) SNA, and 4) TCP/IP. Be sure they include dial-up modems and intranet and Internet connections.

Ask how changes to these items are controlled: How do the technicians know their maps are always complete and current? If you aren’t satisfied with any part of their answers, have them dig deeper until they satisfy your concerns.

Once you know your staff has complete, organized information to manage the network, you can ask them to pursue these objectives:

• Cost minimization
• Security (protection against eavesdropping and spoofing)
• Simplification and ease of administration
• Recoverability.

 

You can’t look for cost minimization without a good map of your network components and their costs. Periodically, have your network managers review the entire network and provide a breakdown of what each component costs. They can consider the standard costreduction measures we’ve discussed in previous columns, such as substitution, reallocation, rescheduling, elimination, etc. Ask network suppliers how they can help reduce costs.

For security, understand the risks before deciding how to manage them. Your application risk assessments describe what data is sensitive and why. Periodically, have your network and security managers work together to ensure sensitive data (including passwords) is encrypted along every relevant path in your network.

Note that Local Area Networks (LANs) are subject to sniffing of mainframe user IDs and passwords if you don’t use protection such as Kerberos. This may lead to cost savings as well, as you consider both hardware and software encryption, use of a hardware co-processor on your mainframe for encryption, and enhanced use of Secure Sockets Layer (SSL).

Save more by using your security software (RACF, ACF2, or TopSecret) as your certificate authority. Moving all digital certificates to your security software will improve security in any case.

Ask how TCP ports and IP addresses are being controlled on the mainframe. Your security software can help (using the SERVAUTH SAF call). In the same way that you restrict who can create new data set high-level qualifiers, you want to control who can use a given TCP port.

Preventing spoofing of IP addresses or VTAM Control Points will be necessary if your security relies on this information. This is especially valid for SNA Network Interconnect (SNI) or APPN networks.