Expensive E-Mail
Microsoft Exchange and IBM Domino/Notes dominate the corporate e-mail world. Together, the packages own nearly 90 percent of the Global 2000 e-mail market, and that dominance will continue through 2007, according to Meta

Together, IBM and Microsoft own nearly 90 percent of the Global 2000 e-mail market, and that dominance will continue through 2007, according to Meta Group.

Group. However, these products are expensive. Mix in costs for maintenance, administration, upgrades, training and downtime, and the average cost of providing e-mail during a three-year period tops $18.45 per user per month for Exchange and $12.55 for Domino, according to The Radicati Group, a consulting and market research company. Add in the platforms and network infrastructure required to run these systems, and the fully loaded, monthly per-user cost soars to $36.56 for Exchange and $33.88 for Domino.

Fortunately, fully functioning corporate e-mail systems can be had for far less. According to Radicati, Oracle Collaboration Suite averages $5.40 per user per month ($16.25 including the infrastructure costs) and Sun One Messaging Server costs $8.04 ($17.80 including infrastructure).

If you’re willing to forego the more advanced features offered by those high-end products, the cost drops to the floor. Sendmail recently announced a partnership with Hewlett-Packard and Intel to provide corporate e-mail (called Workforce Mail) for a total cost of $1 to $2 per user per month, while IBM claims that its new, low-cost Lotus Workplace Messaging can do the same for less than $1.

Switching Costs
So why would anyone pay high prices when they could deliver e-mail for one-sixth to one-tenth the cost of Exchange?

One reason is that corporate knowledge workers—those whose job it is to discover, create and manage information—actually do use the more complicated collaborative features (document sharing, scheduling and the like) built into Notes and Exchange. In some cases, the low-cost systems lack basic features, such as spellcheckers and mail-filtering rules. And you can’t switch from a full-featured e-mail system to a less capable one without angering at least some end users. “Once you’ve convinced people to use a fork, you don’t want to take that away and convince them to use a spoon,” says Mark Levitt, research vice president for collaborative computing at IDC (a sister company to CIO‘s publisher).

What’s more, everything you’ve already spent on e-mail to date is a sunk cost. You’re not getting that money back, even if you switch. “Although commodity e-mail systems may look cheap on paper, the ongoing maintenance of your existing e-mail system may not be as expensive as switching,” says Matt Cain, senior vice president at Meta Group. Finally, switching e-mail platforms requires your IT staff to install and support a new system (a major retraining headache) and to migrate user accounts and data.

The bottom line? “I don’t think there is such a thing as cheap e-mail, particularly if it’s got the capabilities everybody wants,” says Robert Moon, CIO and vice president of information services for ViewSonic, whose e-mail system is based on Oracle Collaboration Suite.

Lower Cost of Ownership
Commodity e-mail systems do, however, offer some powerful advantages that lend themselves to situations where basic e-mail is all you need—such as providing e-mail to deskless workers or to users who are not computer savvy.

First and foremost is the lower cost of ownership. Commodity mail systems are based on robust, standard, open Internet mail protocols, such as SMTP, POP3 and IMAP. They run on standard hardware and may use the same back-end data stores as the rest of your enterprise. They can deliver e-mail to end users via Web interfaces (much like Hotmail or Yahoo mail), to standard POP clients such as Eudora or in some cases even to Microsoft Outlook, all of which may simplify client maintenance headaches.

Lotus Workplace Messaging, for example, uses industry-standard J2EE code running on IBM’s WebSphere, stores its data in a DB2 database and delivers mail via webpages. If you’re already running those systems for, say, your Web applications, you can get significant economies of scale by running e-mail on the same platform. (By contrast, Domino uses a proprietary data store, has its own programming language, and generally requires the bulky and idiosyncratic Notes client.)

Keep It Simple
When your mail system is based on a standard platform, maintenance is simpler because your IT staff can apply skills it has already learned in managing other IT resources. That’s one reason Jim Bobo, systems administrator and chief programmer at Courtesy Insurance Agency, switched his company’s 100 users from Exchange to Stalker Software’s CommuniGate Pro. “You don’t have to have a degree in Microsoftese to use the thing,” says Bobo.

Beyond cost, some companies are finding that fewer features can actually be beneficial to the end users. For instance,

Beyond cost, some companies are finding that fewer features can actually be beneficial to the end users.

ManuLife Financial, a Canadian financial services company with extensive business in Asia, used Lotus Workplace Messaging to deliver Web-based e-mail to 3,600 independent insurance agents in Japan. Because most of those agents are not computer savvy, the company wanted an easy-to-use solution. “A high degree of functionality would be a bad thing because you’ve got novices who have never used a computer before,” says Rob Salerno, a partner at MetaLogic Consulting, which installed the Lotus system. “You need something that has an easy-to-use interface and performs well.”

Others agree. For many workers who don’t use PCs every day—factory workers, retail employees and the like—simpler is better. “Low maintenance and low total cost of ownership make a lot of sense for those workers who don’t need a lot of high-end features,” says Dana Gardner, a senior analyst for The Yankee Group.

A Mature Market
Such employees—about one-third of the corporate workforce, according to estimates by Radicati and Ferris Research—are a tempting market for e-mail vendors. With the rest of the corporate world already sewn up by IBM and Microsoft, vendors are looking for growth where they can get it. Therefore, the recent push toward low-cost mail solutions may be driven more by vendors’ marketing desires than it is by customer needs.

There’s also an underlying technical reason for vendors to push standards-based e-mail. Putting e-mail servers on a common foundation gets vendors in line with the overall industry trend toward open Internet standards. “The business design we have, which is based on industry standards, leverages the industry’s investment, which is why we can get the licensing costs down,” says Ambuj Goyal, general manager of IBM’s Lotus Software. In other words: With millions of developers working on Java applications, IBM doesn’t have to devote its own resources to building a robust platform from scratch. IBM’s goal is to have all of its messaging and collaboration products migrate to an open platform over time, says Goyal, while preserving support for current Notes clients.

Naturally, Microsoft isn’t taking this threat lying down. The new Exchange Server 2003 includes a per-device licensing option that makes it more economical for companies that want to provide kiosk-based Web access to large numbers of deskless workers. Instead of paying for each user, companies can pay a license fee for each device, with an unlimited number of users. And Microsoft has announced plans to move Exchange toward a SQL-based data store, although that is probably several years from fruition.

How to Save Money
In addition to deskless workers in large corporations, commodity mail vendors may find some traction among small and midsize businesses, where the allure of added features may not be enough to overcome high costs. While commodity mail is not going to unseat Exchange and Domino from their thrones, says Yankee Group’s Gardner, it may contribute to a gradual erosion of their market share over time.

In the short term, however, most companies are moving cautiously. “I want to pick a platform that’s going to be around for a long time,” says Len Pagon, president and CEO of technology consultancy Brulant. Salerno agrees: “A lot of companies are playing wait and see—they’re waiting for a success story.”

“Commodity mail is nothing new. It’s been out there for the past decade, and it has yet to take hold in corporate America,” says Meta’s Cain. Instead of switching mail systems, Cain recommends looking for ways of reducing costs in your existing mail setup: Consolidating servers, centralizing and managing storage more effectively, and adding Web mail access to eliminate client maintenance and training headaches.

Still, if you’re adding large numbers of new users to your e-mail system, if you’re expanding your mail system to groups of employees that haven’t had mail accounts, or if you’re a small company with a tight IT budget, you should take a look at low-cost mail alternatives. If nothing else, those systems are providing IBM and Microsoft with some much-needed competition. And they just might deliver what you need at a fraction of the cost.

Sidebar: Economical E-mail Servers

Anticipated benefit Provide basic e-mail services at lower cost than full-fledged e-mail systems.

Hurdles Lack of collaboration features. Switching costs. Reluctance to use smaller vendors.

Primary markets Large enterprises with “deskless” workers. Small and midsize businesses.

Estimated cost 50 cents to $2 per user per month.

Vendors
Gordano
www.gordano.com: GMS Mail for Unix and Windows platforms.

IBM/Lotus Software
www.lotus.com: Workplace messaging and Notes e-mail.

Ipswitch
www.ipswitch.com: IMail Server for Windows 2000 and Windows NT.

Microsoft
www.microsoft.com: Exchange messaging and collaboration.

Mirapoint
www.mirapoint.com: Message Server appliances.

Novell
www.novell.com: NetMail e-mail and calendaring system.

Oracle
www.oracle.com: Collaboration Suite messaging and collaboration system.

Sendmail
www.sendmail.com: Workforce Mail server.

Stalker Software
www.stalker.com: CommuniGate Pro mail server.

Sun
www.sun.com: Sun One Messaging Server corporate messaging platform.

Link: E-Mail on the Cheap

Link broken? Try the Wayback Machine.

It’s not that IT administrators are lazy or negligent—it’s that locking down operating systems and applications has become an almost unmanageable job. The CERT Coordination Center recorded 417 security vulnerabilities in 1999. By 2002, there were 4,129 new vulnerabilities.

This situation makes the newest class of security technologies—intrusion prevention systems (IPSs)—look pretty good. Supplementing patches, firewalls and other traditional approaches to security, an IPS can provide security at the most fundamental levels: the operating system kernel and the network data packet. An IPS can also be cheap insurance: Host-based systems can cost as little as a few thousand dollars per server, while network-based IPS appliances typically cost between $10,000 and $90,000, plus ongoing support fees.

“It makes sense to protect the host so that if all else fails, it will have a better chance of standing alone on its own two feet,” says Bill Stevenson, information security officer for New Century Mortgage. His company has been using host-based intrusion prevention from Entercept since late 2000 as a major part of the back-field defense for its servers. So far, it’s worked: New Century’s IPS successfully repulsed Slammer.

Don’t Tell Me, Fix It!
Interest in intrusion prevention is increasing, thanks in part to a growing disenchantment with intrusion detection systems (IDSs), which notify administrators of attacks but don’t actually stop those attacks. Market maturity is also a factor, as demonstrated by the acquisition of IPS company OneSecure by Netscreen along with planned acquisitions by Cisco (of Okena) and Network Associates (of Entercept and Intruvert).

These factors should spark significant growth in the IPS space. Market research company Infonetics estimates the combined intrusion detection and intrusion prevention market will grow to $1.6 billion by 2006, with IPS accounting for the majority of the growth.

Market Confusion
Intrusion detection vendors, such as Cisco, Internet Security Systems and SourceFire, are retooling their products to proactively stop network attacks. CheckPoint and NetScreen are adding IPS capabilities to their firewalls. And dozens of smaller vendors are touting security add-ons, secure Web servers and even ordinary firewalls as “intrusion prevention systems.”

The result is a confused marketplace. “Since there are so many different ways to detect an attack, it’s very unclear what you mean when you use a term such as intrusion prevention,” says Pete Lindstrom, research director for Spire Security, an independent analyst company.

Lindstrom and other analysts differentiate true intrusion prevention systems from older technologies, such as firewalls and IDSs, that have been updated with new “prevention” features. Broadly speaking, the new crop of IPS products fall into two categories: host-based intrusion prevention (HIP) products such as those offered by Entercept, Harris and Okena; and even newer network-based intrusion prevention appliances offered by companies including Intruvert, OneSecure and TippingPoint.

Locking Down the Host
A HIP product protects servers and workstations through software agents that sit between applications and the OS’s kernel. It intercepts system activity on the lowest level—disk read-write requests, network connection requests, and attempts to change the registry and write to memory—and either allows or denies the activity based on predetermined rules. For example, an application would not be able to modify certain files or change data in the system registry. A HIP system can also block behavior that is clearly malicious, such as rewriting OS executables. The upshot is that most security exploits simply won’t work. Attackers might be able to get through your network defenses to a server, but they couldn’t actually do anything once they got there.

For Stuart McClure, president and CTO of Foundstone, host-based intrusion prevention is a much-needed stopgap measure. Foundstone, a security software and services company, uses Entercept to protect its servers against known vulnerabilities without having to install security patches first. This lets the company test and install patches on a monthly schedule instead of rushing to install them as soon as they are released.

A HIP benefits from contextual information about the server being attacked, which can make it more efficient than blanket network security. “You can get a microscopic analysis of what’s going on,” says Ed Skoudis, vice president of security strategy for Predictive Systems, an IT consultancy that works with both Okena and Entercept. A HIP system on a Solaris box can safely ignore attacks aimed at Windows systems, for instance. And because they focus on behavior, HIP systems can resist never-before-seen attacks, whereas network-based IDS and IPS systems require constant updates to identify the latest worms, viruses and exploits.

There are downsides to host-based intrusion prevention, however. It’s useless against intrusions aimed at your network in general—such as denial-of-service attacks. You also need to install it on every system you want to protect, which can create a deployment headache. (HIP vendors have only recently started adding enterprise-level management tools to their products.) HIP also uses some system resources, although McClure estimates only 2 percent to 5 percent of CPU time.

What’s more, HIP systems truly are the last line of defense. “They only function when things have gotten seriously out of hand,” says Martin Roesch, founder and CTO of security services provider SourceFire. “Every car should have airbags, but wouldn’t it be nicer to avoid the accident in the first place?” Still, for providing an additional layer of security on critical hosts, HIP is a compelling option.

Network-Based Protection
In general, network systems sit “in line,” intercepting network traffic, scanning it for suspicious activity, and either blocking it or passing it along. Such systems use a range of techniques, from IDS-like signature scanning (looking for telltale strings of bytes) to protocol anomaly detection (figuring out when a packet of data is trying something not ordinarily permitted by its data transmission protocol).

Some network intrusion prevention systems take more devious approaches to network protection. ForeScout’s ActiveScout, for instance, responds to suspicious activity (such as port scanning) by sending a specially coded, “tagged” response. If the attacker then tries to act on the tagged information, ActiveScout immediately recognizes that an attempted attack is in progress and can shut off the connection before any damage occurs.

Network-based intrusion prevention can be useful in situations where host-based protection is impractical and firewalls aren’t effective—for instance, against attacks that originate within your own network. University of Dayton Associate Provost and CIO Thomas Danford, like many higher education IT executives, has to deal with students bringing worms and viruses onto the internal network regularly. “Before you know it, we’ve got worms slamming around all over the place,” says Danford, who calculates that the university receives 3,200 attacks on an average day. The solution: TippingPoint’s UnityOne IPS, which Danford installed behind the firewall to shut down suspicious traffic. When the Slammer worm hit in January, says Danford, “we didn’t experience any problems at all.”

Many IT managers, however, are reluctant to trust network-based intrusion prevention, in part because of the risk of service interruption. If your IDS misidentifies legitimate traffic, the false alarm is merely annoying; but an IPS that shuts down a customer connection by mistake could hurt your bottom line. “When people need to get to your system to trade, a couple of seconds of downtime could get you a seriously irate customer,” says a chief security officer at a financial services company who declined to be named. “For automated blocking, we think [intrusion prevention] systems are not mature enough to rely on yet.”

To the extent that network-based systems rely on signatures to identify attacks, they’ll need to be updated—and they may have difficulty stopping brand-new attacks. It’s also important to consider the impact on network performance when installing an in-line system—if it can’t support your network’s maximum bandwidth utilization or introduces significant latencies, it will be a bottleneck. For that reason, many vendors are moving toward appliances (some of which support gigabit speeds), rather than software.

Where IPS Fits In
Almost no one claims that any type of intrusion prevention system will replace firewalls and other mainstays of network security outright. Instead, analysts say, these systems make the most sense as part of a layered security strategy that makes use of several different technologies at multiple points in your network.

Nor will IPS kill the intrusion detection market, at least in the short term. If an attacker makes it past your other defenses (including the IPS), an IDS provides the information you need to contain the damage and prevent future attacks.

Ultimately, predicts Richard Stiennon, a research director at Gartner, network-based IPS capabilities will be integrated into firewall appliances. The host-based IPS, say Spire Security’s Lindstrom and other experts, will likely become more agent-based, centrally managed and ubiquitous—perhaps as part of an enterprise’s overall systems management strategy. But one thing is certain: As the number of attacks and vulnerabilities continues to grow, so will interest in intrusion prevention technologies of all kinds.

“Return on security investment is something that’s very, very difficult to show,” says New Century’s Stevenson. “But you pick up the paper every couple weeks, and to know that we’ve bypassed the latest critical worm or virus that’s on the Internet—that’s return on investment.”

Dylan Tweney (dylan@tweney.com) is a freelance writer based in San Mateo, Calif.

Link: Defensive Postures

Link broken? Try the Wayback Machine.

ANDRIG MILLER first got excited about Java’s possibilities in March 1998, when Sun Microsystems released the initial version of the Enterprise JavaBeans (EJB) specification. But it was more than four years before Miller, vice president of technical architecture for office product supplier Corporate Express, was ready to put an EJB application into production. When the company finally deployed its first EJB application, in December 2002, it was running on JBoss, an open-source application server that competes with platforms such as BEA Systems’ WebLogic and IBM’s WebSphere.

That first application tracks order status in a variety of legacy systems, handling as many as 75,000 transactions per hour, says Miller. Reliability and speed were essential considerations. “We got a lot of benefits from taking our time—for instance, the EJB 2.0 spec matured a lot,” he says. JBoss improved too and added such enterprise-friendly features as support for clustered servers. Corporate Express, a $5 billion company, now has six EJB applications in production, all running on JBoss.

JBoss is just one of a wide array of open-source development tools that are slowly gaining acceptance among enterprise developers. Cost is often a primary driver. Miller estimates that his company has saved $6 million in the past three years by using JBoss and other open-source tools. As Marc Fleury, president and founder of the JBoss Group, puts it, “Most people understand free.” (Even BEA understands: The company recently announced no-cost one-year developer licenses for WebLogic.)

Quality Code
Cost isn’t the only factor, however. Developers are attracted to open-source tools by their flexibility, the capability to customize the underlying code, their high quality, and the willingness of the open-source community to help with implementation and development problems. “Open-source projects in general seem to be pretty good at fulfilling developer needs quickly,” notes Greg Hinkle, a technology specialist at IT consultancy Sapient. That’s not surprising, given that developers are the ones driving open-source projects.

But more and more, open-source tools are also fulfilling the CIO’s needs—especially as the tools become more competitive with commercial alternatives. For example, Miller’s team evaluated several commercial application servers, including WebLogic and WebSphere, but couldn’t find the combination of performance, support and development features that Corporate Express needed.

“Besides JBoss, we’ve adopted a lot of other open-source things since 2000,” Miller says, noting the company’s use of Linux, Apache, OpenSSL, Tomcat (an Apache add-on for processing Java Servlets and JavaServer Pages), Jakarta Lucene (a text search engine) and Jakarta Jetspeed (an enterprise information portal). “The prime driver for us is not really the cost—though the cost savings have been very substantial—but the software quality.”

Open-source tool use is widespread, but it accounts for a minority of development happening in the enterprise today. According to Evans Data’s 2002 “North American Developer Survey,” 53 percent of developers use some open-source code (from repositories such as SourceForge), and 51 percent use open-source development tools at least occasionally. However, most developers spend the majority of their time using commercial products. Only 9 percent spend more than half their time using open-source tools.

Still, interest continues to mount. “There’s more and more acceptance of open-source tools as things like Linux and Apache become more widespread,” says Mark Driver, research director at Gartner.

An Array of Tools
Developers who want open-source development tools have a smorgasbord to choose from. These include low-level programming tools such as GNU Emacs, a text and code editor, and the GNU Compiler Collection, a suite of compilers for C, C++, Fortran, Java and other languages. Such tools often come into an organization simply because they’re so widespread in the Unix world and developers have been using them for years. “Emacs has a very steep learning curve, but people who are very familiar with it can be incredibly productive and efficient,” says John Alberg, cofounder and vice president of engineering at Employease, a provider of human resources software.

Developers often use newer application platforms, such as JBoss and Tomcat, to develop applications—and increasingly to deploy the final apps. (JBoss was downloaded more than 2 million times last year, according to Fleury.) One advantage cited by many managers is that JBoss lets developers test EJB code on their desktop systems without having to first deploy it to a server elsewhere, an efficiency that can significantly cut development time.

Finally, there are open-source integrated development environments (IDEs) such as the IBM-driven Eclipse project and Sun Microsystems’ NetBeans. The Eclipse community, which began in 2001, has grown rapidly, with more than 175 tool vendors providing plug-ins for the platform. Part of the reason for its popularity is that it provides a common, simple framework for development—and for integrating a disparate array of tools. “The open-source community 24 months ago was a collection of nifty tools, but there really wasn’t an IDE out there to bring those tools together and to shorten the learning curve,” says Andy George, vice president of research and development at GE Retail Systems, a provider of software to the retail industry. “Now, any Joe Engineer can take the Eclipse product and be pretty productive.”

Setting a Standard
Another factor driving open-source alternatives is standardization. “Open source tends to work well when the technology is relatively straightforward and simple,” says Driver. Case in point: Apache dominates the Web server market because the relevant standards are so well-established that commercial vendors can no longer differentiate their products profitably. As the J2EE standard matures, Driver sees a similar shift happening in the application server market. However, he says, “I don’t know that we’re ever going to see JBoss achieve the critical mass of Apache because there are many well-established commercial alternatives to [JBoss].”

Apache Software Foundation cofounder Brian Behlendorf disagrees. “I think that space is ripe for commodification,” says Behlendorf, who is also founder and CTO of open-source software and service provider CollabNet. “People are getting tired of spending $10,000 per CPU. For most people, running websites with a million hits or less per day, you can accomplish a lot with the open-source application servers that are out there.”

While open-source tools benefit from having standards in place, the tools can also create de facto standards. “The challenge with pure standards is that a standard is just a piece of paper,” says Scott L. Hebner, director of marketing for IBM WebSphere. “Open source is probably the next step, logically. Why just provide a piece of paper—why don’t we actually provide a reference platform that implements the standard?”

For example, CVS, a code-management and version-control system, is so widely used that even commercial development tools now include support for it. Of course, it helps that CVS actually works. “We’ve found it’s an incredibly powerful version-control system, and it scales very well,” says Alberg.

Look Before You Leap
Although developers may be pushing for open-source tools, CIOs are less enthusiastic, citing concern about support, accountability and potential legal issues. Product support is a big issue, especially because you’re depending on the goodwill of the open-source community, which provides support through online forums and FAQs, and documentation is often minimal or nonexistent. Before committing to an open-source product, companies need to ensure that the community behind it is committed and reliable. In some cases, you can purchase support contracts from a vendor (JBoss Group and CollabNet are two companies whose businesses are largely based on providing support for open-source development tools), but that option is not available for every product.

The learning curve for open-source tools is also typically steep, and the tools tend to be aimed at power users.

Finally, the quality of open-source tools is highly variable, and some lack features required by enterprise development teams. JBoss appeals to those who are “looking to get 80 percent of the capabilities of WebSphere at zero percent of the cost,” says Gartner’s Driver. The low cost may be enough to justify the trade-off, but it depends on the environment and whether you can do without the missing features. JBoss, for instance, lacks the development environments packaged with WebSphere and other application servers.

“If you use open-source IDEs, you get a very mixed bag of capabilities,” says John Parkinson, chief technologist for the Americas region at Cap Gemini Ernst & Young. In the same vein, open-source collaborative development tools lack enterprise features such as transparent progress tracking and centralized management systems. “People like to know where you are and how soon you’ll be done, and a lot of these tools give up on that aspect in order to be done quickly,” says Parkinson.

Increasing Productivity
Parkinson acknowledges that the most productive, “extreme” programmers often favor open-source tools—and that it might make sense to use such tools just to keep those developers happy. “You can have a lot more impact by making the really good guys twice as productive as you can by making the average programmer twice as productive,” says Parkinson. “If you’re going to get the most out of people like that, you’ve got to give them what they like to use.”

In the end, IT managers need to make the same cost-benefit analysis as they would for any product—and that’s an equation that will leave many open-source tools looking pretty good, even if they lack a few features. “There’s not a long laundry list of things that people actually need,” says Tim Witham, lab director for the Open Source Development Lab, which supports open-source developers. “If you look at the feature set of an IDE, there’s a very small set of features that people need day-to-day.”

To sort out the wheat from the chaff, you’ll need the help of your top developers. “If your development staff is keeping a finger on the pulse of the open-source community, you’re bound to have a developer organization that understands leading-edge technologies,” says Adina K. Madrid, director of technology for Digital@jwt, an e-business development shop. “Then, it’s up to you to make the business decision as to whether it makes sense in each situation.”

SIDEBAR: Open Sources

Open source development tools at a glance.

Anticipated benefits Low cost. Widespread support through development communities. Ability to modify source code. Tools often constitute de facto standards.

Hurdles Tool quality varies. Some tools lack support. Slow upgrade cycles. Long learning curve compared with commercial tools.

Primary markets Enterprise development teams, especially those already using Linux or other open-source software. Software vendors. IT consultancies.

Estimated cost Zero licensing fees. Support contracts from commercial vendors add variable costs.

Major open-source projects

CVS (www.cvshome.org): Code management system.

Eclipse (www.eclipse.org): IBM-sponsored integrated development environment.

GNU Compiler Collection (gcc.gnu.org): Compilers for C, C++, Java and other languages.

JBoss (www.jboss.org): Enterprise JavaBeans application server.

Mono (www.go-mono.com): Project to replicate Microsoft .Net Development Framework functions on an open-source platform.

NetBeans (www.netbeans.org): Sun Microsystems-sponsored integrated development environment extensible via modules.

Tomcat (jakarta.apache.org/tomcat): Apache module for Java Servlets and JavaServer Pages.

Open-source repositories

Apache Jakarta Project (jakarta.apache.org): Repository of open-source solutions for Java.

SourceForge (sourceforge.net): Repository of open-source code and applications.

Dylan Tweney (dylan@tweney.com) is a freelance writer and editor in San Mateo, Calif.

Link: Build It Free

Link broken? Try the Wayback Machine.

ARKANSAS STATE UNIVERSITY is asking for trouble. The school is in the midst of a major network upgrade that will eventually bring gigabit-speed network capacity to every dorm room and office on campus—making the network a tempting playground for hackers, says Greg Williamson, associate director of information and technology services at the Jonesboro, Ark., university.

For Williamson, a network intrusion detection system (IDS) from Cisco is the key to staying on top of the network—and its potential abuses. Whenever any one of these IDS components spots a potential security threat—a virus, say, or an impending hacker attack—it notifies a central management console. If the threat is serious enough, the system automatically pages IT staff, who can deal with the attack by shutting off access, reconfiguring systems, and even identifying a hacker’s dorm room and calling campus security.

IDS—What Is It?
Like Arkansas State, many organizations are finding that firewalls, antivirus software and user authentication policies aren’t enough to keep networks safe. That explains the growing market for intrusion detection technology from established vendors such as Cisco Systems, Enterasys Networks and Internet Security Systems; new players including IntruVert, OneSecure and Recourse Technologies (Recourse was recently purchased by Symantec); and even the open-source IDS known as Snort.

In its simplest form, an intrusion detection system identifies and records potential security threats—such as someone scanning server ports or making repeated attempts to log in using random passwords. As such, it’s not a replacement for other security measures. “An IDS is like the video camera in a convenience store or a bank,” says Stuart McClure, president and CTO of security consultancy Foundstone in Mission Viejo, Calif. A video camera doesn’t replace the locks on the door or the safe, but if someone breaks through those security measures, the camera provides a record that can help nab the perpetrators and buttress the security system against future attacks.

Intrusion detection systems work in a number of ways. A network-based IDS relies on network sensors that monitor packets as they go by. Typically, a network-based IDS comprises sensors at network entry points (alongside a firewall, for instance) or at the boundaries between subnets with different security levels (such as between your LAN and your data center).

A host-based IDS, by contrast, monitors activity on specific servers or mainframe hosts by keeping an eye on the integrity of critical files, or by monitoring specific operating system events (such as suspicious error messages or unusual server processes).

Similar to virus scanners, network- and host-based IDS solutions also frequently make use of signature scanning, looking for unique data fingerprints that identify certain types of attacks.

The weakness of this approach is that signatures must be constantly updated to keep pace with the ever-evolving techniques of hackers. To address this shortcoming, some intrusion detection systems look for any network activity that lies outside a certain prescribed range of “safe” activities, an approach known as anomaly detection.

The problem with all intrusion detection systems is that they are not, and probably never will be, plug-and-play. Unlike firewalls, most intrusion detection systems require considerable technical smarts to set up and configure properly.

But the biggest management problem is the alarms. Every IDS, by its nature, generates alarms whenever it detects something that looks like suspicious activity. But every network is different, and computers aren’t very good at telling the difference between, say, the “I Love You” e-mail virus and an e-mail message from your systems administrator that is merely warning you about the virus. As a result, most intrusion detection systems err on the side of caution. Consequently, they generate lots of false alarms—as many as thousands per day in extreme cases.

“There’s a tendency by IDS vendors to show that their products work,” says Lloyd Hession, chief security officer for Radianz, a New York City-based provider of IP network services to the financial industry. Hapless IT managers are then faced with a “massive overload of information,” Hession says. Every one of those alarms is potentially something that your security staff will have to evaluate to determine whether it’s a legitimate use of your network or a hostile attack.

Over time, the staff that monitors your IDS will learn both how to sort real attacks from false alarms as well as how to tune the IDS to reduce false alarms. Arkansas State’s Williamson says his staff initially got paged by their IDS 30 to 40 times per day, but after the system had been running for a few months, the number dropped to just two or three per day. “It can take six months to tune an IDS to the point where you’ve eliminated false positives,” says Michael Rasmussen, director of research in information security for Cambridge, Mass.-based Giga Information Group.

The Vendor Hype
Naturally, IDS vendors aren’t sitting still. Relatively new IDS companies, such as OneSecure and Intruvert, are combining signature- and anomaly-based intrusion detection techniques to increase the intelligence of their systems and even block attacks as they happen, rather than simply alerting the IT staff to the presence of attacks. Other vendors, such as ForeScout, use statistical analysis of your network’s normal traffic to automatically identify anomalous packets—a sort of self-tuning IDS. Still others, such as TippingPoint Technologies and Sourcefire, are throwing hardware at the problem, by building very fast, optimized IDS appliances that can analyze network traffic at much higher speeds (and with more complicated signature detection algorithms) than ordinary servers running IDS software can. Finally, the market leaders, including ISS and Cisco, continue to hone their offerings to improve manageability and the intelligence of their network sensors.

But all those advances won’t eliminate the need for human intervention. “I don’t think organizations are willing to take the risk and liability of having a tool make [the decisions] for them,” says Julia H. Allen, a senior member of the technical staff in the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. “There’s always going to be some human oversight in that process.”

Others agree. “Intrusion detection is extremely high maintenance,” says Bruce Larson, a system vice president and director of special network operations for San Diego-based SAIC International (he designs and deploys network security architectures for SAIC clients, including several government agencies and utilities). He estimates that you need at least one full-time network engineer to monitor and tune an IDS—or about $150,000 in fully loaded annual salary costs.

One alternative: Outsource IDS management to a managed services company such as Counterpane Internet Security, whose employees will screen IDS alarms and forward only the most significant alerts to your IT staff, in return for monthly fees of $7,000 to $12,000.

How to Make IDS Work
But outsourced or not, intrusion detection systems are expensive: Appliances can run to $15,000 or more apiece; full-blown systems may cost $100,000 or more. Add staffing support, and an IDS represents a significant investment (not to mention a management headache). That’s one reason the IDS market is still so much smaller than the firewall market, according to Jeff Wilson, executive director at San Jose, Calif.-based Infonetics, a market researcher and consultancy. The other is that it’s so hard to manage: “The IDS market isn’t that useful yet, and you have to sort through mounds of data to get anything useful out of it,” he says.

On the other hand, if you have valuable assets to protect, you may have no option but to deploy an IDS. Auditors often require IDS technology before they will certify a company’s network as being adequately secured, particularly in highly regulated industries such as financial services and health care. Apart from regulatory requirements, deciding whether to buy an IDS is a matter of risk analysis. “You have to look at the whole solution space and ask, What am I trying to protect, what do I need, and what can I afford?” says CERT’s Allen.

But deploying an IDS is no cakewalk. According to Rasmussen, most company’s IDS deployments are doomed from the start. “Only one in four IDS implementations has any chance of success, and only one in 10 will be truly successful,” says Rasmussen, citing issues around the problem of false positives, lack of adequate staffing and the failure of many organizations to put their IDS in the context of an overall security management process.

In other words, your IDS is merely one tool among many for securing your network. Layering multiple security

“The IDS is only as good as the people watching the IDS. ” -STUART MCCLURE, PRESIDENT AND CTO, FOUNDSTONE

measures together is part of the well-balanced “defense in depth” strategy recommended by many security pros. Allen suggests that IT executives consider adding the following components to their security strategy: network-based intrusion detection sensors, host-based intrusion detection, a central reporting and monitoring console for IDS alerts and other network messages, firewalls, log file analysis and strong user authentication.

The key is making sure that you have adequate processes in place to manage the data generated by your IDS and to respond accordingly. “The IDS is only as good as the people watching the IDS,” says Foundstone’s McClure. “If you’re not going to monitor it, you might as well buy a $50,000 doorstop.” Rasmussen recommends that any IDS implementation should include clear processes for responding to alarms, policies governing network maintenance issues (such as IDS signature updates and operating system patches) and continued education of your network security staff.

Rasmussen also recommends starting small, with one or two IDS sensors at critical points on your network. That will make your IDS deployment small enough to be manageable, and give your network engineers time to learn the system and to tune it without getting swamped by thousands of alarms.

For his part, Williamson chose to test Arkansas State’s IDS in midspring, when network traffic was low, giving his engineers several months to get settled before activity picked up again when classes began in the fall. And he’s already starting to think of other uses for the IDS. They can adjust it to look for almost any type of network abuse, such as prohibited file-trading software. “If you wanted to, you could shut almost anything down,” says Williamson. Not that he’s taking such a draconian approach to network management—but the IDS is a powerful lens with which to keep an eye on network problems, and that is clearly a reassuring thought.

Freelance Writer D.F. Tweney (dylan@tweney.com) covers business technology and the Internet.

Link: Who’s on Your Network?

Link broken? Try the Wayback Machine.

THIS YEAR, the programming language-cum-development platform called Java turned 5. It now stands as one of the world’s most popular computer languages—and it continues to grow. The number of Java programmers is increasing by 10 percent per year, according to research company Evans Data.

Yet Java’s ascendancy hasn’t happened quite the way Sun envisioned back in 1996. In stark contrast to the swarm of Java applets populating the Web during its first years, client-side Java is almost nonexistent today. Instead, the language has moved behind the scenes, within the application servers that drive corporate websites—and increasingly, companies’ line-of-business applications.

During the past year, enterprises have taken Java to heart like never before. The language has matured. Tools for developing and deploying heavyweight Java applications are readily available from Borland, IBM and Sun. And developers now have a wealth of experience with the language.

“Java today has become mainstream,” says Mark Driver, research director for Internet and mobile technologies at Stamford, Conn.-based Gartner. As a result, Driver says, Java applications are turning up everywhere from mainframes to mobile phones—and thanks to improved Java development and management tools, companies don’t necessarily need Java gurus to benefit from the language anymore.

Seeking Stability
At Detroit-based Ford Financial—the financial services arm of Ford Motor Co.—Java is central to the company’s

Back to the Future: Java Goes Mobile

Java is quietly undergoing a renaissance on the client—this time as a platform for applications embedded in cell phones, PDAs and other mobile devices. Read More

migration away from a two-tier client/server model toward a three-tier thin-client architecture. While maintaining the company’s longstanding big-iron back end (IBM mainframes running DB2 databases), the company is now developing Java-based middleware applications that run on BEA Systems’ WebLogic Java application server. Ford’s applications, which handle such core business tasks as loan origination and account management, now have HTML client interfaces, eliminating the need to support client-side software in the company’s eight service centers and 150 dealer locations—and making it possible to extend these applications to consumers on the Web.

Ford has no regrets about basing its IT infrastructure on what five years ago was a brand-new technology. “We selected [Java] because it met our scalability, flexibility and value needs; and it has really proven itself,” says Marcy Klevorn, director of customer branch and dealer systems for Ford Financial.

What’s more, Java now has only one serious competitor—Microsoft’s .Net framework—but that competitor is just getting out of the starting blocks. (See “.Net Gain,” July 1, 2001.)

Enterprise OS-1
What catalyzed Java’s corporate growth was the release in early 2000 of Java 2 Enterprise Edition (J2EE). Not a product, but a set of standards and procedures, J2EE formalized a framework for building multitier Java applications, using technologies such as servlets (Java applets that run on a server), Enterprise JavaBeans to exchange data and application objects, and Java server pages (JSP) to generate HTML for Web-based applications.

J2EE caught on quickly, with developers lured in part by a well-stocked toolkit. “Even with just the J2EE environment provided by Sun, I’ve got a ton of my application already built,” says Ted Shelton, senior vice president and chief strategy officer for Scotts Valley, Calif.-based Borland, which sells Java development tools as well as Java application servers.

The standards provided by J2EE provide, in effect, an operating system for enterprise applications, handling low-level programming issues such as data access, file management and interoperability among application components. “Java is great by itself, but once the operating system galvanized—and that is J2EE—that’s what really made it go,” says Mark Carges, president of BEA Systems’ e-commerce application components division.

Wide Industry Support
Once J2EE appeared, enterprise software vendors, with the exception of Microsoft, quickly lined up behind it. As a result, Java’s biggest asset now is the wide range of middleware based on J2EE—BEA Systems, Bluestone, Borland, IBM and Sun’s iPlanet all offer Java-based application servers.

For enterprises, standardizing on one platform and language reduces risk, because the single standard makes it easier to replace software if necessary. It also simplifies integration issues and lets the same Java experts work on a variety of projects.

At Ford Financial, a central team of 25 Java gurus works with application development teams in the company’s various departments, providing help by evaluating vendors, assisting with integration and implementation, maintaining the underlying J2EE infrastructure, and looking for opportunities to reuse components and code among departments. “You’re only going to have so many people in an organization that really have strong [object-oriented] development skills. We try to isolate some of the nuts and bolts from the application teams so they can concentrate on the business logic,” says Jeff Lemmer, manager of the e-commerce and application architecture team at Ford Financial.

In some cases, business issues, rather than the language’s technical merits—lead a company to Java. “The majority of enterprises are not choosing between Microsoft or Java—they’re choosing Microsoft .Net, IBM WebSphere or BEA Systems WebLogic,” says David Chappell, principal of San Francisco-based IT consultancy David Chappell and Associates. “In choosing an enterprise Java product, the most important thing is that the vendor who makes your product will still be selling it five years from now.”

Eric Dean, CIO of Elk Grove Township, Ill.-based UAL Corp. (the parent company of United Air Lines), makes a similar point, noting that WebLogic and its Java structure are convenient tools, “but there’s not a religion around Java.” Instead, the important feature is the middleware layer it provides, he says.

Power Productivity
In its earliest days, Java was touted as a “write once, run anywhere” language. It didn’t quite work that way—applications usually need some tweaking to run on different platforms. But what is truly transferable are people’s programming skills. Stu Stern, who heads Sun Java Center, the Palo Alto, Calif.-based Java arm of Sun’s professional services division, quips that it’s a “learn once, write anywhere” language.

In addition, IT managers appreciate the increased productivity of Java developers. Java provides a good balance between rapid development—thanks to its object-oriented nature and the wide availability of Java components—and the ability to access low-level computing processes. According to Richard Monson-Haefel, an author and programmer, productivity under Java is typically 20 percent to 40 percent higher than when using C or C++, thanks to built-in features such as automated memory management and the ease with which components can be reused. Ford’s Lemmer has seen application developers’ productivity increase as much as two to three times when they move from C++ to Java.

Java developers are still in high demand, says Gartner’s Driver, but their numbers are increasing fast. While Java Developer Connection estimates that there are currently about 2 million registered Java developers, Gartner puts the number of “qualified” developers at about half that. But the company predicts there will be nearly 3 million experienced Java developers by 2005—forming a rich talent pool for enterprise IT departments to draw from.

The Race Is On
Still, it’s too early to say that Java has won completely. The corridors of computer industry history are littered with the corpses of companies that underestimated Microsoft. Although .Net is still brand new, one thing all commentators agree on is that Microsoft will continue to improve it until it becomes a serious threat.

“Over the next five years, we see two de facto platforms for a vast majority of e-business apps: Java and Microsoft,” says Driver. “We don’t see a clear winner. We expect a 40-40 split, or perhaps a 50-30 split in favor of Java,” with the remaining 20 percent divided among a variety of legacy and other platforms.

For large companies with a wide variety of platforms and hardware in their data centers, Java will probably remain the platform of choice, thanks to these companies’ existing relationships with Unix vendors and to Java’s cross-platform strengths. For small and midsize companies, however, it’s much easier to standardize on a single platform—and that’s where Microsoft may enjoy an advantage, Driver says.

Regardless, the next five years are likely to see a lot of light and heat generated over the Java versus Microsoft issue. Take it all with a grain of salt. Both platforms are technically robust and will likely remain around for a long time, says Chappell. “Both are good enough. If that weren’t the case, one would be crushing the other one.” Whether or not that statement still holds in five years remains to be seen—but for now, Java is going strong.

ILLUSTRATION BY MICHAEL WOLOSCHINOW

Link: Strong Java

Link broken? Try the Wayback Machine.

Back to the Future

By D. Tweney
Sun first touted Java as a universal client-side platform—and even went so far as to develop brain-dead network computers (NC) that relied on Java for their operating system and on servers for their storage and smarts. But NCs flopped, Java applets on webpages are a dying breed, and client-side Java now seems all but dead, especially now that Microsoft has pulled Java support from Windows XP.

Yet Java is quietly undergoing a renaissance on the client—this time as a platform for applications embedded in cell phones, PDAs and other mobile devices. One reason is the announced intention of major cell phone manufacturers to start selling Java-enabled mobile phones. Gartner estimates that 40 percent of PDAs and 68 percent of mobile phones will be Java-enabled by 2006. The prospect of hundreds of millions of Java-enabled mobile devices has many application developers drooling, and by this past June’s JavaOne conference, more than 150,000 developers had already downloaded Sun’s toolkit for mobile Java—the Java 2 Platform Micro Edition.

In the enterprise, Java-enabled cell phones and PDAs present an opportunity to extend feature-rich enterprise applications to mobile workers, such as traveling sales staff, field service personnel and delivery people. That becomes even easier as enterprises move toward XML-based Web services architectures, which make it easy for developers to extend applications to a variety of client devices.

United Air Lines, for instance, is building a Java-based middleware architecture, with the aim of making it easier to deliver data through a variety of client channels—including, ultimately, wireless devices, says CIO Eric Dean in Chicago. “Web services will be a great way for embedded Java to communicate back with the server somewhere,” says Mark Carges, president of BEA Systems’ e-commerce application components division.

“Of course mobile and wireless environments are still very immature,” cautions Mark Driver, research director for Internet and mobile technologies at Stamford, Conn.-based Gartner. For now, few major corporations have actually deployed Java-based mobile applications; most are just testing the waters. But stay tuned: Once there are hundreds of millions of Java-enabled cell phones in the world, it’s only a matter of time before enterprise applications start reaching out to those devices.

For other resources at CIO.com :
CIO Home

Link: Back to the Future: Java Goes Mobile

Link broken? Try the Wayback Machine.