A year ago, the most frequent cause of network problems at Whirlpool wasn't hackers or disgruntled insiders. It was fat-fingered local network administrators.
"The problems were almost purely accidental," recalls Greg Fisbeck, lead network engineer for the appliance giant, which operates a global network of some 80,000 endpoints, including the Maytag business acquired last year.
"Some administrator would put in an extraneous character, or put a space in the middle of a host name, and the next thing you know, they'd bring down a whole [address] zone. And here in the data center, nobody knew about it until people started calling in to say they couldn't get into Whirlpool.com."
The problem, Fisbeck explains, was the company's address management system. The old system required a good deal of manual configuration, and many of the local administrators weren't familiar with the conventions of IP addressing. Worse, the old system didn't allow Whirlpool to restrict administrator access -- once they were in the system, untrained admins could make changes that might unintentionally affect whole address zones.
Whirlpool had been considering the purchase of a new IP address management system for years, but the functionality of earlier systems was limited, and it was difficult to explain the value of a DNS/DHCP administration tool to top-level managers who weren't familiar with addressing technology, Fisbeck recalls.
Then, in 2006, the stars began to align. Whirlpool acquired Maytag -- and all its IP addresses -- which made it easier to create a business case for an overarching management system. And Bluecat Networks was nearing completion of its Proteus 2.0 IP Address Management (IPAM) and Adonis 5.0 DNS/DHCP appliance lines, which answered many of Whirlpool's concerns about earlier address management systems.
With Proteus and Adonis, Whirlpool can now restrict administrators' access to addressing functions, so that they can make changes only to their own domains. Instead of several different systems, administrators make changes only in one central system, which reduces the likelihood of a mistake that takes down a whole zone of addresses. And the new systems offer templates for IP addressing, reducing the chances that an administrator will use the wrong format.
"With Proteus and Adonis, we've really reduced the chances of an administrator creating problems by accident," Fisbeck says.
The new appliances may also help Whirlpool avoid problems created by targeted attacks, Fisbeck says. For example, the Bluecat technology can manage heavy address requests created by a denial-of-service attack, and it can help Whirlpool's security team identify and quarantine bogus requests.
Fisbeck wouldn't say how much Whirlpool spent on the installation. Pricing for Adonis starts at $2,995; Proteus is $29,995. Whirlpool has five Adonis units in service and one Proteus.
Over the longer term, Whirlpool may also use Proteus and Adonis to help implement network admission control (NAC) at its endpoints. "Proteus has the ability to authenticate a user before we give them a permanent IP address, which would be one of the steps we need to take for NAC," Fisbeck says. The company still isn't completely sold on NAC, but the Bluecat products will allow Whirlpool to do some trials and test it out, he says.
In the meantime, Whirlpool is deploying Proteus and Adonis across its network, and expects to complete that deployment by the end of this month. "We think it's going to help a lot," Fisbeck says. "We won't have to worry anymore about losing a zone just because someone made a typo."
Tim Wilson, Site Editor, Dark Reading