Business Process reengineering BPR
August 5, 2008
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting and have a nice day!
BPR is a form of organizational improvement. It aims to improve a business through restructuring of processes. BPR is given force by the thinking that old ways of organizing work are no longer appropriate for a competitive business environment. The ultimate aim of re-engineering processes to achieve better quality, service and innovativeness. The radical restructuring entailed in BPR is risky and uncertain.
Theoretical Foundations of BPR:
For hundreds of years, commercial activity has been based on the Adam Smith principle of Division of Labor. Division of labor encourages specialization and thereby leads to improved productivity.
The classical enterprise also exhibits the concepts of:
- Hierarchical control:- the classical layers of management
- Mass production of largely uniform goods/services
An organization based on these principles is successful in a stable market environment, characterized by growing demand for uniform goods/services. In a changed market environment characterized by sever competition, globalization, more demanding customers, smaller profit margins etc, the classical organizational models are less and less appropriate. BPR provides one alternative to the old methods of organizing business processes. The goals of BPR can be started in expanded form as either cost objectives or service objectives.
Cost Objectives:
- Reducing stocks: New materials or Intermediate goods
- Economies of scale in procurement
- Reduced staff costs (administrative costs)
- Competitive pricing of goods/services
Service Objectives:
- More reliable delivery system
- Stock availability
- Good after sales service
- Quick Response/adaptation to market changes
- Reduced product development lifecycle
Qualities of Re-engineered Processes:
- Several jobs are combined into one. This implies a reversal of the Adam Smith principle of division of labor and function. Workers make decisions, actual work and decision making are integrated.
- Processes are reorganized so that tasks are done in the most sensible/logical order.
- Checks and controls are reduced. The checks and controls are reduced to the minimum acceptable level. The checks and controls are also deferred.
- Reconciliation is minimized.
- A case manager is appointed to oversee the re-engineering process.
- Hybrid processes that combine centralization and decentralization by use of communication technology are often adopted.
- Processes have multiple versions (polymorphic) – the process is re-designed to include capabilities to deal with custom orders.
Contribution/Role of IT in BPR:
- IT is all essential enable of BPR; it enables processes to be re-engineered.
- It supports the re-engineered process
- Leading edge technology products can be particularly useful in process innovation. They can even lead the innovation process.
- IT also facilitates process integration.
- It has been argued that the most effective contribution of IT in business redesign is to enable an enterprise to do things that it was not doing before – extending the capabilities of the enterprise.
Candidates for BPR:
In theory, any business process can be subject to BPR; but in practice, certain processes can benefit more from BPR than others. Such processes have the following qualities
Dysfunction: The process is visibly out of order, it is problematic. Dysfunction in a process occurs when the process is slow (frustratingly slow), occasional complaints, generates errors etc.
Importance: Important processes that have a prominent place in the value chain. They contribute directly to the delivery of goods and services to the end consumer.
Feasible: From the managers stand point the BPR project is technically, economically and socially feasible/viable. Processes that require high capital input, or enjoy limited management support are less feasible for BPR.
What causes BPR projects to fail? (Pitfalls in BPR):
- Inadequate funding
- Insufficient management commitment/support
- Poor project leaders
- Inadequate feasibility evaluation
- Resistance to process change
- Failure to focus on most process re-design and dwelling on improving the existing process.
- Quitting too early or declaring victory too soon.
Re-engineering computer system:
At a minimum a computer system comprises of an ordered collection of hardware, software, and data resources. Computer systems are the basis for automated information system.
- Re-engineering computer systems means examining, rethinking and re-implementing such systems in a new form.
- The process is usually carried out on legacy options, re-implementing them in a more modern form.
- Re-engineering computer systems can be seen as a management response to the challenge of keeping old systems alive within a changing environment.
Merits
- The useful life of a system is increased
- The business value of such a system also increases
- Future maintenance costs are reduced
- The morale of maintenance staff may improve; because they know they are working in a modern system i.e. the systems become more maintainable.
Steps for BPR
- Identify process for innovations
- Manage business
- Manage people and work
- Identify change levels ( technology etc)
- Develop process vision – what you want to process must fit with the strategic direction of the organization (IS)
- Understand existing processes – study current process and understand necessary changes
- Design and prototype new process/create design of new process.
Approaches to re-engineering computer systems:
When a system is re-engineered any of the following changes may occur:
- It may be placed in a distributed platform.
- It will usually be re-documented
- The data may be migrated to a new database platform
- The code may be restricted
- The code may be written in a different language
Automatic Source Code Conversion:
This entails the use of software tools to convert source code in a given language.
- to code in a newer version e.g Cobol 74’ to Cobol 90’
- to code in a different language e.g Cobol 74’ to Oracle
The software tools cannot achieve 100% conversion and hence has to be supplemented with manual conversion.
Automated Program Restructuring
When code is maintained over an extended period, its structure and hence its efficiency, deteriorate. Indeed, the more a software product has been maintained, the more it costs to maintain it in future. When the program is re-structured:
- irreconcilable code is detected and removed
- complex control structures are simplified
- program modularity is enhanced
Use of software tools may not be fully effective. Manual rewriting of code may still be applied.
Automated program and Data Restructuring:
When the existing data structures are re-structured then even the programs that process the data have to be reviewed. When data is restructured:
- The overall model may be re-organized into one database.
- Data in a relational model may be modified to suit the needs of a different relational DBMS.
Re-engineering or Re-developing?
Systems targeted for re-engineering have 2 qualities
- They are heavily/regularly used
- They are currently being maintained a lot
Re-engineering usually has two main merits over re-developing. These are:
- Lower costs: re-engineering costs about ¼ of redeveloping
- Reduced risk: lower likelihood of making mistakes.
When deciding whether to re-engineer or to redevelop you may consider such issues as:
- budget provisions or costs constraints
- current state of the old system; the old system may be so old and messy that it may not be susceptible to re-engineering
- Time limitations: re-engineering is likely to be quicker than to redevelop
- Scope i.e. system scope; if the scope of the existing system is to be excluded substantially then it may be more practical to redesign and re-implement the system instead of re-engineering it.
- Perceived risk level; Risk arises from the combined effect of many factors. If the perceived project risk is high then it might be safer to re-engineer the system than to redevelop it.
Link between reengineering of computer systems and BPR:
Computer systems are usually embodied within business processes/systems such as accounts receivable, production planning, marketing and distribution, human resources etc. When such process/systems are re-engineered, then the supporting technology infrastructure also needs to be reviewed.
The overall aim of reengineering a computer system should be to re-align it with the existing business goals. The goals of a BPR project require an altered IT infrastructure then the existing infrastructure should be reengineered or re-developed.
System development methodology
August 4, 2008
“A methodology” is a recommended collection of philosophies, procedures, rules, techniques, phases, tools, documentation, management and training for developers of IS.
Objectives of Methodology
-
To capture, record and document accurately, the user needs.
-
To monitor the project and report on progress (project management ability)
-
To facilitate the development of quality system within the set time and set budget
-
To facilitate proper documentation of both project process and the project deliverables, assisting in future maintenance.
-
To facilitate at an early stage the mechanics of change control.
-
To facilitate the delivery of system that are liked by the end user.
-
Complete coverage of all the development activities involved in system development.
-
Simplicity: The tools, techniques e.t.c. should be easy to use.
-
Validation of the designs:- the methodology should conclude a mechanism for reviewing its own results.
-
Separation of analysis from design, there should be distinct focus on user need, quite separate from implementation needs.
A methodology can be said to have various features. These features can be categorized into technical model and managerial model.
A methodology needs to have a technical model. This model includes features like the tools, tools which will help the developers in the process of developing an Information System. These tools help in every phase or sub phase involved in the methodology. e.g. CASE tools, project management tools, Drawing tools , Data dictionary e.t.c.
A methodology also needs to have a technique. A methodology can have many techniques, Techniques helps to verify and expound on the methodology, thus they enable the phase and subphase of methodology to be carried out according to the methodology’s principle.
Technique act as guides of methodology’s phase. Technique address different parts (phases) of a methodology.
Techniques also enable easy understanding of what the methodology requires e.g. root pictures, conceptual model, DFD, Decision trees/tables, Entity Life Cycle, Structured diagrams, normalization e.t.c.
A methodology also needs to have a philosophy, in that it needs to have the underlying theories and assumptions that the authors of the methodology believes in. This feature helps to shape and guide the development of an Information System. It also enable the understanding of the methodology.
A methodology also has a managerial model that has a feature of a methodology. This feature is that of the development structure, in that a methodology needs to have a development structure that;
-
Identifies the phases, subphases, steps and tasks to be done in the methodology.
-
Identifies the outputs to be produced and under which circumstances they should be produced.
-
Constraints to be applied and people to be involved. This feature provides for the development process to be really managed and controlled.
Initially in the early 60s there was no appreciation for a methodology. Application systems were developed without the aid of an explicit Information System development methodology.
Also there was a growing appreciation of analysis and design parts of the system development and therefore the role there was increased demand for the role of an analyst and programmer.
There was also a realization that as organization grow in size and complexity. It was desirable to move away from one-off solution to a more integrated Information System.
There was also appreciation of an accepted methodology for the development of an I.S.
What is the rationale for writing a methodology
The rationale for writing a methodology are:
The methodology should improve the end product of a development process i.e. a better I.S.
A better development process: In that the methodology should provide improved management and project control so that the organization can gain from the benefits that accrue from a tightly controlled development process.
Selecting/Adopting
Theoretically speaking, the best methodology is the one that is best suited to the project work at hand. In practice, the best methodology may be the one that the designer understands well.
In some cases, the right methodology is the one that has been recommended within the organization’s standards.
Common Approaches
Adhoc: No formal recognition is given to methodologies
Contingency Approach: We use different methodologies, depending on the nature of the project.
Prototyping / Evolutionary Development: We use it in those context where the user needs are unclear, the business area is unfamiliar, the level of risk is high e.t.c.
Adavantages of a methodology
-
Increased user involvement translating to a more likeable system.
-
Prototyping has the inherent capacity for accommodating risks.
-
Quicker systems Development.
-
Superior User Interface.
-
Missing functions/features can be detected early.
Disadvantages of a methodology
-
Poor documentation.
-
Confusion between the prototype and the real system.
-
Project Management is difficult.
-
It is difficult to draw up a prototype contract.
-
As a consequence of poor documentation system maintenance may be difficult.
PRINCE (Projects IN Controlled Environments)
August 4, 2008
This project command structure may perhaps not be widely applied but it brings out the nature of the roles we tend to encounter in most systems development projects.
Steering Committee
This committee may go under different titles, but its main role is to guide expenditure on Information systems (IS) with a view to ensuring that such expenditure is in line with the business goals. It is the steering committee’s responsibility to ensure that projects concentrate on solving the business problem. Such a committee may undertake the following duties:
-
Formulating the IS strategy/plan
-
Prioritization of projects
-
Setting terms of reference for individual projects
-
Project progress control
-
Quality and acceptance testing
-
Project funding
Project executive/Sponsor
-
Taking care of project funding and organizing for the release of funds that have been allocated to the project.
-
Project progress control, perhaps in conjunction with the steering committee if one exists.
-
Justification of the project to the management body in charge.
-
Specifying the minimum requirements that the projects must meet if it is to achieve its business objectives.
-
Provide high level support as a champion for the projects
-
Keeping the project board or higher management informed of progress.
Senior User
-
Assisting in system requirements definition
-
Assisting the project team with quality review of the system interfaces.
-
Voicing the concerns of the perceived implications of a proposed system.
Project Manager/Leader
-
Supervision and motivation of the project team
-
Allocation of duties
-
Progress control on a day to day basis
-
Reporting on project progress to the project sponsor or senior management
-
Recommend termination of the project to the sponsor if necessary
-
Select and manage sub-contractors
Quality Control
This role may be served by a quality control team, quality control supervisor or some other person.
-
Setting the quality standards
-
Suggesting quality review techniques
-
Undertaking the quality review and making the appropriate recommendations
Technical roles
Depending on the project any or all of the following technical roles may be applied:
-
Business/System Analyst
-
Application programmers
-
System programmers
-
Analyst programmers
-
Telecoms engineers
-
Designers
-
Network technicians
-
Secretarial support staff
-
Data entry personnel
Analyst/programmer role
This role has become prevalent in the last 15 years and is the result of a number of forces/pressures. An analyst programmer is in charge of both system analysis and programming.
Some of the factors contributing to the increased popularity of this role are as follows:
-
A desire to reduce communication problems in system development: in the classical approach an analyst prepares a specification which a programmer subsequently applies a program coding, there is always a chance of communication breakdown between the two parties.
-
With the increased use of IT, even small enterprises are investing in the area however the system development workloads tend to be small and more attention is devoted to maintenance of existing system. It is therefore viable to have a limited number of personnel who can carry out both system analysis and programming.
-
Desire for increased productivity/efficiency: When a programmer implements a design specification that he wrote himself he may be able to do so quickly because no time is wasted in trying to understand the specification. The system is therefore implemented sooner.
-
Changes in a system development approaches, with the increased use of object oriented system development, it appears reasonable that the analysis and programming work is carried out by one person or the same group of people.
NB: This role appear to be quite popular even with the large organization indicating that the arrangement may be working well.
A person designated as a programmer analyst is likely to acquire a broader range of skills on the job with a positive effect on his career progression. However when mistakes are done there is less opportunity for detecting and correcting them. It is also likely there will be reduced rigor in problem analysis with adverse effect on overall system quality.
Object oriented technology
August 4, 2008
Emergence of Object Technology
This is essentially a software (as opposed to hardware) technology. It may be seen to be a programming design, database design or just a system development methodology. This technology is generally seen to represent a new and different system development paradigm/framework
In a way, the emergence of object oriented databases technology represents an effort to address the limitation of the popular relational model.
As a programming paradigm object oriented programming represents an attempt to radically improve on the existing structured programming practices. This technology is an entity that encapsulates both state and behaviour i.e. data, methods and processes.
Under this technology, systems are developed by or through modeling objects i.e. defining the objects, defining their states and behaviour, their interactions, classifications e.t.c.
The technology uses specialized environments; programming languages and database systems with object oriented support.
Advantages of the object technology
-
High potential for reuse i.e. objects are reusable components. This may be beneficial in that systems can be constructed quickly and cheaply.
-
Reduced maintenance load because well defined objects tend to be stable than conventional code and data tables.
-
object oriented databases tend to support higher quality data. Constraints can be more rigorous. This approach produces normalized models.
-
object oriented databases provide better performances, quicker access to data.
-
Ability to model/design advance databases systems, modeling of sounds, images in addition to text, modeling of complex inter-relatioships e.g CAD, CASE, multimedia systems e.t.c.
Why is the technology not so widely applied:
-
There is a time lag between the development of any new technology and its widespread use. People take time to adopt.
-
Object modeling seems to be conceptually more complex than its predecessors.
-
Their credit affect people who have the prerequisite skills and knowledge to steer the organization transition to this technology.
-
There is a lot of investment currently on relational DBMS and the cost of transition to object oriented will be very high
-
The relevant model is capable of handling most of the basic /conventional data processing need, thus most organisations are still benefiting from the current DBMS and thus the pressure to move to object technology is therefore minimized
-
Current database system have limited support for object technology which might be adequate for some business application.
Data Warehouse
August 4, 2008
Data Warehousing
Data warehousing represents an attempt to turn coporate data into a source of knowledge. A data warehouse has the principal aim of providing information that is truly useful for strategic decisions making. Information that constitutes a summarized and objective view of all areas of the enterprise.
A Data warehouse is a corporate decision support resource. It is a database that brings together data from diverse sources making it serve tactical/strategic decision needs.
One definition cites a warehouse as a support oriented, integrated, time variant and non-volatile collection of data in support of mangement’s decision making process.
Definition Quality of a Data Warehouse
Subject Oriented: i.e. data is organized along the lines of the key business entities e.g. suppliers, customers, stock e.t.c.
Integrated: the Data is from different subjects, sources and applications. It is held in such a way that it can all be applied collectively as one source
Qualities of Data
-
Time Variant; the data pertains to both current and past operations. The data occurs in layers parameterized by time.
-
Non-Volatile: the data is kept for a prolonged period of time without being changed or destroyed. However old data is stored in a more summarized form.
-
Specifically supports top level decision making.
-
Transaction levels are relatively low.
-
Applied at random intervals in a non-deterministic way.
Structure /Components of a Data Warehouse
-
Sources of operational Data
-
-
Old manufacture databases systems (corporate db systems)
Departmental Data (in databases or old filing systems)
External sources e.g. commercial data firms, internet etc
-
-
-
Load Manager (Front end component): this captures and prepares data, placing it in the data warehouses.
-
Warehouse Manager: This tool manages the data inside the data warehouse i.e. it does refining, back up e.t.c.
-
Query Manager (Back end component): Receives queries, schedules them and directs them to the correct data tables.
-
End user access tools: Used by the end user to place queries or otherwise process the data in a data ware house e.g. querry /reporting tools, data mining tools, online analytical processing tools.
-
Current data i.e. Data in the warehouse that pertains to recent operations. This is usually detailed data.
-
Summarized data: Data that pertains to past operations, retained in lightly or highly summarized form.
-
Archive data: old data images of the warehouse retained fort archive purposes.
Advantages of Data Warehousing
-
Very useful for trend analysis (assessing progress)
-
Improved quality of senior management decisions: good decisions often translate into better strategic advantage.
-
Great potential for competitive advantage in that analysis of the data warehouse may reveal patterns or trends that were previously unknown thus managers can capitalize on this information for competitive posturing.
-
High returns on investment
-
Improved managerial control because the manager has a broader and deeper weight into all areas of the enterprise which enables them to control the enterprise more effectively.
Disadvantages of Data Warehousing
-
Projects have a long time frame: the longer a project takes the more risky it becomes.
-
Some of the required data may be missing from operational systems; the data gaps presents a design challenge.
-
Other problems in the operational systems: if there is a problem with the system or operational system this problem may be transferred to the warehouse.
-
Data warehouse systems are high maintenance systems.
-
Underestimation of the data loading needs.
-
Need for large storage facilities: storage needs may be in the order of multiple petabytes.
-
Increased end user demands: When the warehouse is installed user requests for assistance and /or information may increase instead of reducing.
-
Data ownership; the data in the warehouse is a trully shared resource thus lack of data ownership.
-
Data homogenization: The data in the warehouse may infact not serve the intended purpose.
Data Marts
This is a small-scale data warehouse, specifically intended for departmental/divisional use.
The data mart may be a logical unit of the corporate data warehouse or it may be an independent resource.
The emergence of Data marts is a response to the challenges associated with the design and operation of enterprise wide data warehouses.
A Data mart is smaller and thus easier, cheaper and quicker to develop.
A data mart enables us to enjoy the benefits of a data warehouse, but on a smaller scale.
Critical Success Factors (CSF)
June 28, 2008
The technique suggests that strategic information requirements can be uncovered by a 3 stage process.
Firstly the identification of a number of critical success factors (CSF).
CSFs are a handful of things within someone’s job that must go right for the organization to flourish. They are the factors that the manager wishes to keep a constant eye on.
Secondly, they pinpoint critical decisions that need to be made.
The determination of the information required to support these decisions
Example:
CSF: Minimize length of time a part is kept in stock
KD: It might decide what quantities must be ordered
IR: it would need order on demand (rate of sale)
Meeting this CSF ensures that the investment in stock is kept low and that part reach dealers quickly. As this examples shows it is necessary to be clear about business objectives before embarking on CSF Analysis. The process of CSF Analysis allows managers, initially senior ones to articulate the needs in terms of their information management control that is absolutely essential to them.
These needs are influenced by factors such as:
- The industry within which the firm operates
- The environmental factors such as local politics and economic situations
- The firm’s industry position
- The Manager’s position in the management hierarchy.
Prior to the use of CSF there was a rift between the consumers of information i.e. user management and the providers of information i.e. information systems. So CSF can give some guidance on needs in such a way that the effect of the rift is minimized.
CSF must be:
- Intelligent to senior managers
- Intelligent to IS/IT Managers
- Possible to act on (capable of implementation)
CSF Analysis can be applied lower down in the management structure but it gets more and more difficult to articulate as we move down the hierarchy. However, it is generally useful to use several management levels in order to validate the CSF and get a broader picture. Below is an example of the tactical level.
CSF:
- Effective Management control of people/staff
KDs :
- Setting performance standards
- Specification of training needs
- Determination of whether or not to introduce overtime
IR
- Performance reporting
- Budget Allocation
- Exception reports
Challenges of CSF:
- The analysis needs very skilled and very perceptive interviewers to do the abstracting of CSF from senior manager.
- The more removed from the management apex a specific manager is the harder it is to apply CSF analysis. Many managers who are not already involved in strategic planning find CSF analysis too abstract.
- It is usually impossible to build a true picture of the organization’s information requirements using only CSFs.
- The decisions resulting from CSF analysis may ignore any resource constraints, surrounding their realization.
SWOT ANALYSIS and IT
June 28, 2008
b) Are there gaps/opportunities we can go for?
c) Are there dangers/threats we need protection from?
d) Are we strong in the right way to exploit the opportunity where one exists?
SWOT ANALYSIS AND INFORMATION SYSTEMS
With the particular reference to information systems a SWOT Analysis may address such issues as:
Approach to Information systems:
Whether the organization seeks to lead others or just float with the tide? Does the organization see its information systems as a necessary evil, a scarce resource or a transforming aid?
Use of Information Systems
Are there number of systems which are of poor quality i.e. not easy to use? Systems that are management oriented rather than task based?
Delivery of Information Services:
What is the role of users and user management systems development and operation? What proportion of corporate resources is tied in system maintenance? What system development tools and techniques are in use? What is the quality of technical support available?
Data availability and Management:
What is the degree of data redundancy in the application systems? Is there availability of common data across various processing applications? The quality of data management platform (DBMS)
Having become aware of the potential effect of information systems in an enterprise, we can make further use of SWOT techniques
Weigh up the risks associated with each possible decision
Possible Responses on the Basis of SWOT Analysis:
When both opportunities and strengths are present then the organization is in a position to attack its competitors through the use of information systems with a good prospect of success.
Conversely when threats are faced where there are weak capabilities then the organization must take steps to protect itself from its vulnerability to attacks from its competitors.
When there is value adding opportunities for information systems, but the organization finds itself with weak information systems capabilities then they should beware of following this up since they are less assured of success than others in their sector with more adequate information systems.
Should the organization find itself having strong information resources alongside threatening situations, it should explore avenues to both maintain that quality against the opening up of opportunities and to identify overlooked potential.
Strategic Information Systems Planning (SISP)
June 28, 2008
This is the process through which one enterprise conceptualize or formulates ideas for the development of strategic information systems i.e systems that affect the very fabric of the enterprise – the goals, the strategic processes and external relationships.
Importance of SISP
Planning also ensures that whenever new systems are build they can communicate or interface properly with pre-existing systems, thus avoiding the problem of “
SISP ensures that the IS/IT infrastructure is consistent with the strategic vision (business goals) of the enterprise. This is the modern view of SISP.
Who should be Responsible for SISP:
There are a number of ways in which the SISP role could be handled.
By an IT Director
The IT director knows a lot about current technology and technological trends and is very well placed to put that technology into business use. However the IT Director may not be very good in the area of business, and strategic planning. At worst, he might recommend systems with no strategic relevance from a business standpoint.
However these days we have people called Hybrid IT Managers who have formal training both in IT and business. Such managers might produce better planning results than the traditional IT Managers.
Except in firms that are small and use the full time services of hybrid IT Directors the SISP role is likely to be vested elsewhere.
Top management is especially aware of the strategic vision of the enterprise. Such management would also not find it difficult to identify the information needs to support the business goals.
On formulation of a strategic information system plan, the top management can leave the implementation work to the IT Director and his team. The IT Director can subsequently formulate an IT plan to set up the appropriate IT infrastructure.
However top management who are not technology aware i.e. do not understand the available technology and its potential applications may still be conservative in their planning.
Top management who are not technology aware also tends to be reluctant to participate in strategic information planning. There may be a temptation to delegate such planning to the IT Director who is more knowledgeable on matters of IT.
Use of IS Steering Committee
This is ideally a multi-disciplinary team bring together people with a variety of skills and experiences. The team would usually have representatives of top management, IT management and key departments. Use of committees is often an attractive option but there are several challenges involved:
The several challenges involved are:
- Setting up such a committee and keeping it running calls for a higher level of discipline and commitment.
- Planning through committees may be time consuming.
- The biggest mark to the use of information systems steering committee is that they reach decisions through consensus – basic democratic principle.
Use of outside planning consultants (outsourcing)
Outside consultancy may bring in a wealth of planning experience. Outsiders may also be more objective in that they have no pre-conceptions about the organization. However use of consultancy may be expensive and hence unaffordable.
The consultants may not have a proper awareness of the organization’s goals, culture and aspirations and may therefore recommend systems that are not sustainable in the enterprise. There is a temptation to recommend systems that have been observed to work well elsewhere, which does not mean they will work well in this particular organization. The organization’s own personnel e.g. IT manager, might detest the idea of using outsiders to plan the organization’s IS/IT affairs.
Firewall
March 31, 2008
In the era of the Internet being necessary for business, companies have found out that they need to think long and hard about the security implications of an internet connection. One needs to find a form of security policy that includes the number of machines and systems with Internet connection.A firewall is a set of tools (firmware i.e. hardware and software) designed to prevent unauthorized access to a network. A typical firewall is based on 2 architectures i.e. the “choke router” and the “bastion host”CHOKE ROUTER
This involves using a router to limit access i.e. using access control list to control which IP packets are routed and to where. You can use it to deny access to your network for specific types or to make sure that specific packets are delivered to specific machines.BASTION HOST
This is a computer that is used for only one purpose and that is to pass packets between your network and the Internet. It is a dedicated machine with two separate NICS, It acts as an active router linking the private network to the Internet, monitoring the state of the connection and blocking packets that do not meet the rules defined. This machine should not be used for anything else e.g. checking e-mails. The Bastion host must be configured to prevent any packets from being routed directly between its networks interfaces.
THE DMZ
The DMZ lies between the choke router and the bastion hosts. It is a partially protected area where one can install public services. Machines in the DMZ should be used for only one purpose and should not be fully trusted e.g. web server, FTP Server. Any extra service should be disabled and user accounts kept to a minimum. Some DMZ are mode secure by hosting a third NIC to host-public services and using a firewall to protect them rather than a choke router.
CHOOSING A FIREWALL
There are two technologies that are used to build a firewall i.e. packet filters and application gateways.
One can use packet filtering technologies which can allow or prevent access to specific services from specific machines. It can be done on the sites access routers (high level) or in a specific firewall. A router alone cannot effectively monitor all incoming and outgoing IP packets thus protocols like FTP that use more than one data stream present a problem. It gets worse when using connectionless protocol like UDP.
Circuit level or application gateway are used to act as routers that pass only specific packets onto specific machines (e.g HTTP requests to a web server or SMTP to mail server). Circuit level gateways open a virtual circuit on receiving a valid handshake but don’t analyze packet traffic.
Once a firewall has been built you can add extra features like virus checker between an email gateway and your SMTP mailer so all encapsulated files are virus checked before entry to the system.
NB: A proxy server is not a firewall, they make it easy to connect to the Internet but don’t protect it from intrusion.
RUNNING A FIREWALL:
Once a firewall is chosen, one then defines the rules of procedure you will use to defend your system. Test your firewall regularly by using scanning tools.
Routers
March 31, 2008
Routers
A router is a device that connects multiple networks and routes packets from one network to another. A router may be used to inter network similar or dissimilar networks (e.g. Ethernet, or token ring). An inter-network is composed of subnets (sub-networks). The main feature of a router include:
- Routers work at the network layer. They are able to identify source and destination network addresses within packets.
- Routers are able to keep track of multiple active paths between any given source and destination network.
- Routers provide excellent traffic management using sophisticated path selection, they select the best routes based on traffic loads, line speeds, number of hops or administrator preset cost. The parameters used for determining routes for packets is generally known as metrics.
- Routers can share status and routing information with other routers, and can listen to the network and identify which connections are busiest or not working. They rate network traffic avoiding slow or malfunctioning connections.
- Routers do not forward any information that does not have a correct network address. They do not forward bad data, they also filter broadcast traffic by not routing broadcast pockets.
Note:
A router may be a dedicated box with a port to each of the networks, or it may be a NOs server with multiple interface cards. (This is known as multi-timed).
Routers often support multiple protocols (e.g. TCP/IP, IPX/SPX), but not all protocols are routable e.g. NetBeul and DLC.
Routable protocols differ from non-routable protocols in that they contain information in each packet relating to the network address of the source and destination routes.
Choosing a routing Path:
A routing algorithm is used to build a routing table for forwarding packets. There are 2 types of algorithms used.
(a) Non Adaptive:
The choice of route is normally configured into the router. This is run as static routing.
b) Adaptive:
Routing decisions are based on traffic levels, connection speeds and a number of hops, or administrator preset costs. Routing information is obtained from other routers. This is known as dynamic routing.
The routing table contains the following information.
- Address of all known networks
- Interface of the router used to forward packets to the network.
- Next router in the path to the network.
- Metric or cost of using this path. If multiple paths exist, use the path with the lowest metric.
Static and Dynamic Routers:Static Routers:
Static routers require the administrator to manually configure routes through each network (The routers do not communicate amongst themselves).
This configuration is only possible with a small number of routers and does not provide the flexibility of dynamic routing. Its advantage is that complete control remains with the network administrator.
Dynamic Routers:
These routers automatically discover routes by communicating with each other. They require minimal configuration since their routing table are built and modified through these communications. It’s high flexible and can reach to changes in the internetwork e.g. route
Dynamic routers use routing protocols to manage information.
- Open shortest path first (OSPF) uses a link state algorithm to calculate routes based on the number of hops, line speed, traffic and cost.
- Network link state protocol (NLSP): This is the equivalent of OSPF for network environment.
- Routing Information Protocol (RIP): This method uses distance vector algorithm to determine routes. This is less efficient than link state algorithm because
The entire routing table is broadcasted instead of just the changes which result in large and often multiple packets (there is a maximum of 25 entries per R.P. packet).
The entire routing table is broadcasted at regular interval (every 30 seconds) resulting in considerable network traffic.
The routing table are slow to stabilize when a change in the internetwork occurs.
Brouters
These are routers that can also bridge. A router routes any routable protocol - supported, but bridges any other frames. These devices combines the best of both a bridge and a router.
